CORPORATE

POLICY ON THE PROTECTION AND RETENTION OF THE PERSONAL DATA

  1. INTRODUCTION

1.1. Introduction

The protection of personal data of employees and other natural persons with whom they are in contact is among the top priorities for BTM Bitumlu Tecrit Malzemeleri Sanayi ve Ticaret Anonim Şirketi (“Company”) as the data controller. The most important step of this issue is managed by this Personal Data Protection and Retention Policy (“Policy”). The protection and processing of personal data of our employees, employee candidates, interns, visitors, product or service buyers, Company officials, supplier officials and employees, employees, shareholders and officials of the institutions we cooperate with, and third parties. According to the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. Regarding the protection of personal data, which is a constitutional right, our Company pays due attention to the protection of personal data of our employees, employee candidates, interns, visitors, product or service buyers, Company officials, supplier officials and employees, employees, shareholders and officials of the institutions we cooperate with and third parties makes this a Company policy. In this context, all necessary care is taken by our Company and administrative and technical measures are taken for the protection of personal data processed in accordance with the relevant legislation.

  • Scope

This Policy applies to our employees, employee candidates, interns, visitors, product or service buyers, Company officials, supplier officials and employees, employees, shareholders and officials of the institutions we cooperate with, and third parties, provided that they are automatic or part of any data recording system related to all personal data processed by non-automatic means.

  • Implementation of the Policy and Related Legislation

The relevant legal regulations in force on the processing and protection of personal data will find application first, and in case of inconsistency between the legislation in force and the Policy, it is accepted by our Company that the applicable legislation will be implemented. The policy regulates the rules set forth by the relevant legislation by embodying it within the scope of Company practices.

  1. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the 6698 numbered Law on the Protection of Personal Data (“PDPL”), our Company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent illegal access to personal data and to ensure the retention of personal data, and in this context, it makes or has the necessary inspections made.

Our Company retains personal data for as long as required by law or for the purpose of processing personal data. Our company informs the relevant persons whose personal data are processed in accordance with Article 10 of the PDPL and requests the consent of the relevant persons in cases where consent is required, and processes this personal data based on the following criteria in line with their consent.

2.1. Ensuring the Security of Personal Data

Our Company takes the necessary legal, technical and administrative measures regarding data security related to the following issues and shows the necessary attention and care in this context. The actions and measures taken by our Company to ensure "data security" in accordance with Article 12 of the PDPL are listed below:

  • Our Company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed in accordance with the law. The employees are informed that they cannot disclose the personal data they have learned in violation of the provisions of the PDPL, and that they cannot use them for purposes other than processing, and that this obligation will continue after their dismissal, and necessary commitments are taken from them in this context
  • Our Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and the cost of implementation in order to prevent the imprudent or unauthorized disclosure, transfer or any other unlawful access to personal data.
  • Our Company raises awareness among data processing institutions such as business partners and suppliers to whom personal data has been transferred, on the prevention of illegal processing of personal data, the prevention of illegal access to data, and the provision of legal protection of data.
  • As a data controller, our company has obligations to comply with when processing personal data. The obligation to comply with the legal, administrative and technical measures developed in this regard is contractually imposed on data processing institutions, with which our Company is in contact with various titles, such as suppliers and business partners, in accordance with the nature of the activity they carry out in the field of data processing.
  • Our Company takes the necessary technical and administrative measures according to technological possibilities and implementation costs in order to keep personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.
  • Our company carries out or has had it done, in accordance with the 12. Article of the PDPL. The results of these audits are reported to the relevant department within the scope of the internal functioning of our Company and necessary activities are carried out to improve the measures taken.
  • Our company operates the system that ensures that the personal data processed in accordance with 12. Article of the PDPL is obtained by others illegally, this situation is reported to the relevant personal data owner and the Personal Data Protection Board (“Board”) as soon as possible.

2.2. Protection of Sensitive Personal Data

Special importance is attached to certain personal data in the PDPL due to the risk of causing discrimination or victimization of individuals when processed unlawfully. These data are data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Our Company acts sensitively in the protection of personal data of special nature, which are determined as "sensitive data" with the PDPL and are processed in accordance with the law. Therefore, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of sensitive personal data and necessary audits are provided in this context.

2.3. Clarifying and Informing the Personal Data Owner

Our Company informs the personal data owners in accordance with Article 10 of the PDPL during the acquisition of personal data. Within this scope, our Company provides personal data owners with information about their identity, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of personal data collection and legal reason, within the scope of Article 11 of the PDPL and the information about his/her the rights are given.

Article 20 of the Constitution stipulates that everyone has the right to be informed about the personal data concerning them. Accordingly, in Article 11 of the PDPL, the right to "request information" is counted among the rights of the personal data owner. In this context, our company provides the necessary information in case the personal data owner requests information in accordance with the 20. Article of the Constitution and the 11. Article of the PDPL.

Additionally, our Company informs the relevant persons about its own activities, especially when it applies to the express consent of the persons, about the processing of personal data in accordance with the law and the rule of good faith, and other relevant issues in the PDPL, with various documents open to the public, especially this Policy document. Thus, within the scope of personal data processing activities, the relevant parties are informed and accountability and transparency are provided within this framework.

  • Inspection of the Measures Taken on the Protection of Personal Data and Training of the Company Personnel

Our Company has a Personal Data Protection Committee. The Committee, on behalf of our Company, which is the data controller, carries out the necessary audits in person in order to ensure the implementation of the legislation in its own institution or organization, in accordance with its duty arising from Article 12 of the PDPL, and has it done by getting support from competent institutions when needed. The violations, negativities and non-compliances detected according to the results of this audit are reported to the responsible persons within the committee and necessary measures are taken regarding these issues. If the personal data is transferred to real or legal persons outsourced by our Company, the relevant companies to whom personal data is transferred in accordance with the law and the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and that these measures will be complied with in their own establishments through contracts which are made. Additionally, our Company makes agreements with its personnel, who are subject to the Labour Law No. 4857 and the Law No. 6356 on Trade Unions and Collective Bargaining, to comply with the personal data protection measures. Our company also acts in accordance with the decision of the Personal Data Protection Board dated 26.12.2019 and numbered 2019/393, if there are employees subject to the 6356 numbered Law on Trade Unions and Collective Bargaining. In this context, an informative text is communicated to the employees on the procedures and principles that they must comply with within the scope of the right to personal data protection, and reminding them of their obligations.

Our company provides its employees with the necessary trainings in order to prevent the illegal processing of personal data, illegal access to data, and to raise awareness about data protection

  1. ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

Our company is responsible for the processing of personal data in accordance with the Article 20 of the Constitution and Article 4 of the PDPL, law and good faith, accurately and, when necessary, for up-to-date, specific, clear and legitimate purposes, in a purpose-related, limited and measured manner. Our Company retains personal data for as long as required by law or for the purpose of processing personal data.

Our company acts in accordance with the regulations stipulated for the processing of personal data of special nature, in accordance with Article 6 of the PDPL.

Our company acts in accordance with the regulations stipulated in the law and set forth by the Board regarding the transfer of personal data in accordance with Articles 8 and 9 of the PDPL.

3.1. Processing of Personal Data in Compliance with the Principles Established in the Legislation

3.1.1. Processing in accordance with law and good faith

Our company acts in accordance with the principles brought by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, personal data is processed to the extent and limited to the business activities of our Company.

3.1.2. Ensuring Personal Data Are Accurate and Up-to-Date When Necessary

Our Company takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period of processing, and establishes the necessary mechanisms to ensure the accuracy and up-to-dateness of personal data for certain periods.

3.1.3. Processing for Specific, Explicit, and Legitimate Purposes

Our Company clearly reveals the purposes of processing personal data and processes the relevant personal data within the scope of purposes related to these activities in line with its business activities.

3.1.4. Being related to the Purpose for which they are Processed, Limited and Measured

Our Company collects personal data only in the quality and extent required by its business activities and processes it limited to the specified purposes.

3.1.5. Retention for as Long as Required for the Purpose of Processing or Envisioned in the Relevant Legislation

Our Company preserves personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the legal legislation to which the relevant activity is subject. In this context, our Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the data owner and with the determined destruction methods (deletion and / or destruction and / or anonymization).

  • Personal Data Processing Conditions

Except for the express consent of the personal data owner, the basis of the personal data processing activity may be only one of the conditions stated below, or more than one condition may be the basis of the same personal data processing activity. In case the processed data is sensitive personal data, article 3.3 of this Policy. The terms in the title (“Processing of Special Categories of Personal Data”) will be applied.

  • Explicit Consent of the Personal Data Owner 

One of the conditions for the processing of personal data is the explicit consent of the data owner. The explicit consent of the personal data owner should be disclosed on the basis of being informed about a particular subject and with free will.

Pursuant to paragraph 2 of Article 5 of the PDPL, personal data may be processed without the need for the explicit consent of the data owner, in the presence of the personal data processing conditions listed below.

  • Clearly Provided in Laws

If there is a clear provision in the relevant laws regarding the processing of the personal data of the data owner, the personal data of the data owner may be processed.

  • Failure to Obtain Explicit Consent of the Related Person Due to Actual Impossibility

The personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility or whose consent cannot be validated, in order to protect the life or physical integrity of himself or another person.

  • Being Directly Related to the Establishment or Performance of the Contract

Provided that it is directly related to the conclusion or performance of a contract to which the data owner is a party, if the processing of personal data is necessary, this condition can be deemed to be fulfilled and the personal data of the data owner can be processed.

  • Fulfilling Our Company's Legal Obligations

If personal data processing is necessary for our company to fulfil its legal obligations, the personal data of the data owner may be processed.

  • Making Personal Data Public by the Personal Data Owner

 If the personal data is made public by the data owner, the relevant personal data may be processed for the purpose of making it public.

  • Requirement of Data Processing for the Establishment or Protection of a Right

 If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.

  • Obligatory Data Processing for the Legitimate Interest of Our Company

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company.

  • Processing Conditions of Sensitive Personal Data

Sensitive personal data are processed by our Company in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

  • Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data owner, provided that it is expressly stipulated in the law, in other words, there is a clear provision regarding the processing of personal data in the law governing the related activity. Otherwise, the explicit consent of the data owner will be obtained in order to process sensitive personal data.
  • Explicit consent by persons or authorized institutions and organizations under the obligation to keep confidential for the purpose of protecting private health and sexual life, protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing can be processed without a call. Otherwise, the explicit consent of the data owner will be obtained for the processing of sensitive personal data.

3.4. Personal Data Processing Activities within the Building, Facility Entrances and Building

Our Company carries out personal data processing activities for monitoring third party entries and exits with security cameras in our Company's buildings and facilities In order to ensure security. The personal data processing activities are carried out by our Company by using security cameras and recording third party entries and exits. In this context, our Company acts in accordance with the Constitution, PDPL and other relevant legislation.

Our company takes video recordings of third parties in the building, at the facility entrances and within the facility through the camera monitoring system. Our Company aims to increase the quality of the service provided within the scope of surveillance with security cameras, to ensure its reliability, to ensure the safety of our Company and third parties, and to protect the interests of third parties regarding the service they receive.

Our Company complies with the regulations in the PDPL in the execution of camera surveillance for security purposes. Only a limited number of Company employees have access to the records recorded and maintained in the digital environment. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality agreement. In accordance with Article 12 of the PDPL, our Company takes the necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring.

Apart from the above-mentioned camera recording, our Company carries out personal data processing for the purposes of ensuring security and tracking third party entries and exits in our Company's buildings and facilities, for the purposes specified in this Policy.

You can find detailed explanations about the camera monitoring activity on our website or by sending your request to the relevant personnel from the Camera Monitoring and Storage Policy.

  1. TRANSFER OF PERSONAL DATA

Our Company may transfer the personal data of the person concerned to third parties by taking the necessary security measures, in line with the purposes of processing personal data in accordance with the law in the following cases:

  • If there is a clear regulation in the law regarding the transfer of personal data,
  • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
  • If personal data transfer is necessary for our company to fulfil its legal obligation,
  • If personal data transfer is necessary for the establishment, exercise or protection of a right,
  • If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the person concerned,
  • In case of the existence of the conditions stipulated by the laws for personal data of special nature other than health and sexual life,
  • Personal data related to health and sexual life, on the other hand, only if there is a necessity to share them with authorized persons, institutions and organizations within the scope of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
  1. COMPANY PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA

At our Company, in line with the Company's legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 and Article 6 of the PDPL, the general principles specified in the PDPL and the PDPL Personal data in the categories specified below are processed by informing the relevant persons, in compliance with all obligations set forth in.

Our Company has created a personal data inventory in accordance with the Data Controllers Registry Regulation enacted by the Personal Data Protection Authority. This data inventory includes data categories, data source, data processing purposes, data processing process, recipient groups to which the data is transferred, and retention periods. In this context, our Company's personal data inventory includes personal data in the following data categories.

 

PERSONAL DATA CATEGORIZATION

EXPLANATION OF PERSONAL DATA CATEGORIZATION

Identity Data

It is a data group that contains information about the identity of the person.

Communication Data

It is the data group that can be used to reach the person.

Visual and Audio Recordings Data

It is the data group that contains the visual and auditory data of the individual.

Personnel Data

This data category refers to data types such as payroll information, property declaration information, and resume information.

Financial Data

It is the data group that contains the financial information of the person.

Professional Experience Data

It is a data group that contains information about the profession, professional experience and educational information of the person.

Customer Transaction Data

This data category refers to data types such as call centre records, receipts, receipts, valuable papers information and billing information.

Legal Transaction Data

This category of data refers to data types such as information in correspondence with judicial authorities, information in the case file.

Transaction Security Data

It is a data group that contains transaction security data such as IP information, log records and cookies.

Risk Management

This category of data refers to the types of data, such as information processed to manage technical, administrative risks.

Marketing Data

This data category is the data group that contains the marketing information of the individual.

Physical Space Security Data

It is a data group that contains physical space security data such as camera records, entry and exit records of the person.

Health Data

It is a data group related to the person's health data.

Other

It refers to data such as Military Status Information, Vehicle Plate Information, which are not categorized in the Data Controllers Registry.

 

  1. PERSONAL DATA RETENTION PERIOD

Our Company stores personal data for the period specified in these legislations, in cases stipulated in the relevant laws and regulations. If a period of time is not regulated in the legislation regarding how long personal data should be kept, personal data is stored for a period of time that requires it to be kept in accordance with our Company's practices and public practices, depending on the activity carried out while processing that data.

According to the Article 138 of the Turkish Penal Code, Article 7 of the PDPL and the "Regulation on the Deletion, Destruction and Anonymization of Personal Data" put into effect by the Personal Data Protection Authority, personal data processed in accordance with the provisions of the relevant law shall be deemed to be subject to the elimination of the reasons for its processing. In case of removal, it is deleted, destroyed or anonymized pursuant to our Company's policies or upon the request of the person concerned. Our Company has established a policy in accordance with the provisions of the regulation in this regard and acts in accordance with this policy.

  1. RIGHTS OF RELATED PERSONS AND THE USE OF THESE RIGHTS

Our company notifies the rights of the person concerned in accordance with Article 10 of the PDPL and guides the person whose personal data is processed on how to use these rights regulated in Article 11. Our Company carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the PDPL in order to evaluate the rights of the persons concerned and to provide the necessary information to the persons concerned.

7.1   Rights of Related Persons whose Personal Data are Processed

The persons whose personal data are processed have the following rights:

  1. Learning whether personal data is processed or not,
  2. If personal data has been processed, requesting information about it,
  3. Learning the purpose of processing personal data and whether they are used in accordance with the purpose,
  4. Knowing the third parties to whom personal data is transferred at home or abroad,
  5. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
  6. Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist, although it has been processed in accordance with the provisions of the PDPL and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
  7. Objecting to this result if a result against the person arises by analyzing the processed data exclusively through automated systems,
  8. Requesting the compensation of the damage in case of loss due to the processing of personal data in violation of the PDPL.

7.2. Circumstances in which the Person whose Personal Data is Processed cannot assert her/his rights

The persons whose personal data are processed, cannot claim their rights listed in 11.1, though the following cases are excluded from the scope of the PDPL in accordance with 28. Article of the PDPL:

  1. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
  2. Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime,
  3. Processing personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,
  4. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

According to the paragraph 2 of article 28 of the PDPL, the data subject whose personal data are processed, cannot claim their other rights listed in the 11.1. Article of the PDPL, except for the right to demand the compensation of the damage:

  1. Personal data processing is necessary for the prevention of crime or for criminal investigation,
  2. Processing of personal data made public by the person whose personal data is processed,
  3. Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by PDPL,
  4. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

7.3. Using the Personal Rights of the Related Person

The persons whose personal data are processed will be able to submit their requests regarding their rights specified in this Policy to our Company free of charge, with the information and documents that will identify them, and by filling out and signing the application form, using the methods specified below or other methods determined by PDPL. The regulations in this regard have been made in the Personal Data Application and Response Procedure of BTM Bitümlü Tecrit Malzemeleri Sanayi ve Ticaret Anonim Şirketi and in the clarification texts.

The related person may execise his/her rights as follows:

  • After completing the form at the address of “Kemalpaşa OSB Mahallesi Gazi Bulvar No: 152 Kemalpaşa/Izmir”, a copy with wet signature must be sent in person or in writing via registered mail to the address of “Kemalpaşa OSB Mahallesi Gazi Bulvar No: 152 Kemalpaşa/İzmir” or brought in person.
  • After completing the form and signing with the “secure electronic signature” within the scope of Electronic Signature Law No. 5070, sending the secure electronic signature form to btm@hs03.kep.tr by registered e-mail, secure electronic signature, mobile signature or the person concerned, to our Company. Making an application to KVKK@btm.co by using the e-mail address previously reported and registered in our Company's system or by means of a software or application developed for application purposes.

In accordance with the Communiqué on Application Procedures to the Data Controller the related person has to give the following information so Though the above-mentioned application is accepted as a valid application;

  1. Name, surname and signature if the application is written,
  2. For citizens of the Republic of Turkey, T.R. identification number, nationality for foreigners, passport number or identification number, if any,
  3. Domicile or workplace address for notification,
  4. If available, the e-mail address, telephone and fax number for notification,
  5. Subject of the request

Otherwise, the application will not be considered as a valid application. In the applications to be made without filling out the application form, the issues listed here must be conveyed to our Company in full.

A special power of attorney must be issued by the relevant person through a notary public on behalf of the applicant in order for third parties to request an application on behalf of the persons whose personal data are processed.

IDENTITY OF DATA CONTROLLER

 

Central registration no.:               0187002570500016
Internet Address:                          www.btm.co

Phone:                                              (0232) 877 04 02 - 09
E-Mail:                                              KVKK@btm.co

KEP Address:                                   btm@hs03.kep.tr
Address:                                          
Kemalpaşa OSB Mahallesi Gazi Bulvar No: 152 Kemalpaşa/Izmir

 

This Policy has been announced at www.btm.co . Within this scope, the right to make changes in the Policy is reserved in accordance with legislative changes and our Company's policies. The current version of the Policy, together with the changes made, is announced at www.btm.co.

ANNEX-1 DEFINITIONS

Explicit Consent: Consent about a specific subject, based on information and expressed with free will.

Anonymization: It is the change of personal data in such a way that it loses its quality as personal data and this situation cannot be undone. E.g. Masking, aggregation, data corruption etc. making personal data incapable of being associated with a natural person, by means of techniques.

Application Form: “Application Form for Applications to be Made by the Related Person to the Data Controller in accordance with the Law on the Protection of Personal Data No. 6698”, which includes the application to be made by the persons whose personal data are processed to exercise their rights.

Employee Candidate: Natural persons who have applied for a job by BTM Bitumlu Tecrit Malzemeleri Sanayi ve Ticaret A.Ş. or have opened their CV and related information.

Employees, Shareholders and Officials of Collaborating Institutions: Real and legal persons, including shareholders and officials of these institutions, working in institutions (such as but not limited to business partners, suppliers) with which the Company has any business relationship.

Business Partner: Parties with whom the Company has established business partnerships for purposes such as carrying out various projects, receiving services, in person or together with them while carrying out its activities.

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.

Relevant Person: The natural person whose personal data is processed. E.g; visitors, staff, customers, etc.

Personal Data: Any information relating to an identified or identifiable natural person (For example, name-surname, TR ID No., e-mail, address, date of birth, credit card number, etc.). Processing of information regarding legal entities is not covered by the PDPL.

Special Quality Personal Data: Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Supplier: Parties that provide services to the Company on a contractual basis in accordance with the Company's orders and instructions while carrying out the Company's activities.

Third Party: Natural persons whose personal data are processed within the scope of the policy, who are not defined differently within the scope of the policy. E.g; family members, former employees.

Data Processor: The natural and legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. E.g; Companies from which the company receives services, etc.

Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system). Within the scope of this policy, BTM Bituminous Tecrit Malzemeleri Sanayi ve Ticaret A.Ş. is the data controller.

Deletion of Data: It means that all relevant users within the company are encrypted to prevent access to personal data and only the data protection officer has this password.

Destruction of Data: It refers to the complete elimination of personal data, physically or technologically, in an irreversible way.

Visitor: Natural persons who visit the physical premises of the Company for various purposes. 

 

ANNEX-2 PERSONAL DATA PROCESSED BY OUR COMPANY AND THEIR PURPOSES

 

Related Person

Processed Personal Data Category

Processing Purposes of Personal Data

 

 

 

 

 

 

 

 

 

 

 

Employee

Identity Data
Communication Data
Professional Experience Data
Legal Transaction Data
Financial Data
Personnel Data
Visual and Audio Recordings

In accordance with the regulations related to these laws, especially the Labour Law No. 4857 the personal data of the employees are processed with the following purposes:

 

  • Execution of Employee Satisfaction and Loyalty Processes,
  • Fulfilling Obligations Arising from Employment Contracts and Legislation for Employees,
  • Execution of Benefits and Benefits Processes for Employees,
  • Carrying out the Activities in Compliance with the Legislation,
  • Carrying out the Activities in Compliance with the Legislation,
  • Execution of Finance and Accounting Affairs,
  • Execution of Assignment Processes,
  • Follow-up and Execution of Legal Affairs,
  • Carrying out Internal Audit / Investigation / Intelligence Activities,
  • Execution of Communication Activities,
  • Execution / Supervision of Business Activities,
  • Execution of Contract Processes,
  • Planning of Human Resources Processes,
  • Providing Information to Authorized Persons, Institutions and Organizations,
  • Execution of Training Activities

 

 

 

Employee

Health Data

Pursuant to Article 9 of the Occupational Health and Safety Law No. 6331 and the Regulation on the Duties, Authorities, Responsibilities and Trainings of Workplace Physicians and Other Health Personnel, the workplace doctor is obliged to perform the employment and periodic health examinations that indicate that the employees are suitable for the job they will do. In accordance with the relevant legislation; Health information of employees is processed in order to carry out occupational health and safety activities and to monitor the suitability of our employees for their duties.

Visitor

Physical Space Security Data

In order to monitor the entrance and exit of the visitors to our Company and to ensure the security of the Company building, in line with the legitimate interests of our Company, the images of the visitors are recorded with the camera recordings within our Company.

Visitor

Identity Data

Transaction Security Data

Identity information, IP address of our website visitors in order to record who and for what purpose use the internet service provided in accordance with the Law No. 5651 on Regulating Broadcasts Made on the Internet and Combating Crimes Committed Through These Broadcasts, executing the activities of our corporate website and confirming user information. The information, website entry and exit information are processed.

Employee Candidate

Identity Data
Communication Data
Professional Experience Data
Financial Data
Visual and Audio Recordings

Our Company processes the identity information, contact information, professional experience information, and financial information of the employee candidates in order to be able to evaluate the employee candidates for the appropriate position in the recruitment processes, in order to carry out the preparation processes related to employment.

Product or Service Recipient

Identity Data
Communication Data

Financial Data

Customer Transaction Data
Professional Experience Data

Legal Transaction Data

Marketing Data

Visual and Audio Recordings

Identity, communication, finance, marketing, visual and audio information recordings, customer transaction, professional experience and legal transaction data of the persons who purchase products or services, are processed limited to the data groups and duration specified in the relevant legislation, for the purpose of our Company to carry out its commercial activities, to carry out the sales processes of goods / services and to carry out the production and operation processes of goods / services.

Product or Service Recipient

 

Identity Data
Communication Data

 

Our company has to evaluate the demands and complaints of the people who buy products or services in order to ensure that the services are carried out in a planned, programmed, effective, efficient and harmonious manner. In this context, the identity and contact information of people who purchase products or services that contact our Company through the Call Centre are processed.

 

 

 

 

 

 

 

 

 

 

Supplier Official or Employee

 

 

 

 

 

 

Identity Data
Communication Data
Financial Data
Professional Experience Data

 

Pursuant to the contracts we have made with our suppliers for the continuity of our services, based on the nature of the demands in the units, to ensure that all products that the unit needs are purchased and paid to the relevant supplier,

 

Organizing the preparation of the purchasing file by preparing the relevant documents according to the method determined in the purchase of products and services within the scope of purchasing activities,

 

Coordinating the creation of the list of Suppliers from which the products/services used directly in the final product are purchased and the up-to-dateness of this list,

 

Coordinating the performance evaluation of suppliers and the keeping of relevant quality records,

 

Making the cost estimate calculation for the approved product and service needs of the departments, to ensure that it is done by the relevant department.

 

  

ANNEX-3 THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED BY OUR COMPANY AND THE PURPOSE OF THE TRANSFER

 

Persons to whom Data Transfer can be made

Related Persons

Purpose of Data Transfer

 

Business partner

Product or Service Recipient

Supplier Employee/Official

Limited transfer is made in order to prepare and implement business strategies and to ensure that the objectives of the establishment of the business partnership are fulfilled.

 

Suppliers

Product or Service Recipient

Transfers are made on a limited basis in order to ensure that the services that our Company outsources from the supplier and that are required to carry out the activities of our Company are provided to our Company.

Authorized Public Institutions and Organizations

Product or Service Recipient

Supplier Employee/Official

Employee

In cases where public institutions and organizations demand and provide a legal basis, transfers are made for a limited purpose.

Natural Persons or Private Law Legal Entities

Product or Service Recipient

Supplier Employee/Official

Employee

It is transferred on a limited basis within the scope of works carried out with individuals and institutions such as lawyers, banks, private insurance and software companies.

Shareholders and Company Officials

Product or Service Recipient

Supplier Employee/Official

Employee

The purposes of establishment of our company are limited to ensure the fulfilment of its administrative and commercial activities