English
Türkçe
français
TEKNOPAK PLASTİK AMBALAJ SAN. TİC. LTD. ŞTİ.
PERSONAL DATA PROTECTION AND PROCESSING POLICY
Target Audience: All individuals whose personal data is processed by Teknopak Plastik Industry and Trade Ltd. Co.
Prepared by: Teknopak Plastik Industry and Trade Ltd. Co. Personal Data Protection Committee
Version: 2.0
Approved by: Approved by Teknopak Plastik Industry and Trade Ltd. Co.
TABLE OF CONTENTS
- 1. INTRODUCTION
- 1.1. Purpose
- 1.2. Scope
- 1.3. Basis
- 1.4. Definitions
- 2. PROCESSING OF PERSONAL DATA
- 2.1. Processing of Personal Data in Compliance with Legislation
- 2.2. Conditions for Processing Personal Data
- 2.3. Processing of Special Categories of Personal Data
- 2.4. Informing the Data Subject and Obtaining Explicit Consent
- 2.5. Transfer of Personal Data
- 3. PERSONAL DATA PARAMETERS AND INVENTORY
- 4. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA
- 5. RETENTION AND DESTRUCTION OF PERSONAL DATA
- 6. RIGHTS OF PERSONAL DATA OWNERS AND EXERCISING THESE RIGHTS
- 6.1. Rights of the Data Subject
- 6.2. Exercising the Data Subject's Rights
- 6.3. Responding to Applications
- 6.4. Refusal of the Data Subject’s Application
- 6.5. Right of the Data Subject to File a Complaint with the Data Protection Board
- 7. ENFORCEMENT
- 8. EFFECTIVENESS AND ANNOUNCEMENT
1. INTRODUCTION
Teknopak Plastik Industry and Trade Ltd. Co. ("TEKNOPAK") places importance on the protection of personal data in its activities and prioritizes it in its operations. The TEKNOPAK Personal Data Protection and Processing Policy ("Policy") outlines the fundamental regulations for compliance with the procedures and principles set out by the Law on the Protection of Personal Data No. 6698 ("Law") in TEKNOPAK's organizational and business processes. In line with this Policy, TEKNOPAK processes and protects personal data with high responsibility and awareness, ensuring transparency by informing personal data owners.
1.1 Purpose
The purpose of this Policy is to align the procedures and principles stipulated by the Law and other relevant legislation with TEKNOPAK's organization and processes, ensuring their effective implementation in its activities. TEKNOPAK takes all necessary administrative and technical measures to process and protect personal data, raises awareness through this Policy, creates internal procedures, and conducts all necessary training to ensure consciousness. It also takes all necessary precautions to ensure compliance with the Law and has established effective audit mechanisms.
1.2 Scope
This Policy applies to all personal data obtained electronically or by non-electronic means, provided it is part of a data recording system, in the course of TEKNOPAK's business processes, and includes the Data Categories and Personal Data (Appendix-1) and the Personal Data Processing Purposes (Appendix-2).
1.3 Basis
This Policy is based on the Law and relevant legislation. Personal data is processed in accordance with various laws and regulations as listed, including the Law on the Establishment and Duties of the Ministry of Science, Industry, and Technology, the Law on the Protection of Consumers, and various laws related to Turkish Trade Law, Social Insurance, Intellectual Property, and Employment Law. In cases of inconsistency between the applicable legislation and the Policy, the relevant legislation prevails. The regulations stipulated by the legislation are applied through TEKNOPAK practices.
1.4 Definitions
| Definition | Description |
|---|---|
| Recipient Group | A category of real or legal persons to whom personal data is transferred by the data controller. |
| Explicit Consent | Consent based on being informed about a specific subject and given voluntarily. |
| Making Anonymous | Rendering personal data such that it cannot be associated with an identified or identifiable individual, even through matching with other data. |
| Employee | Personnel of the Personal Data Protection Authority. |
| Electronic Environment | Environments where personal data can be created, read, changed, and written by electronic devices. |
| Non-Electronic Environment | All environments that do not fall within the definition of electronic environments, including written, printed, visual, etc. |
| Service Provider | A real or legal person who provides services to the Personal Data Protection Authority based on a specific contract. |
| Data Subject | A real person whose personal data is processed. |
| Authorized User | Persons who process personal data within the data controller's organization or by authority from the data controller, excluding those responsible for technical storage, protection, and backup of data. |
| Destruction | The deletion, destruction, or anonymization of personal data. |
| Law | Law No. 6698 on the Protection of Personal Data. |
| Record Environment | Any environment where personal data is processed, either wholly or partially by automatic means or through non-automatic means, provided that it is part of a data recording system. |
| Personal Data | Any information relating to an identified or identifiable individual. |
| Personal Data Processing Inventory | An inventory created by data controllers, detailing personal data processing activities in connection with business processes, personal data processing purposes, categories of personal data, and recipient groups. |
| Processing of Personal Data | Any operation performed on personal data, such as collection, storage, alteration, sharing, transfer, and destruction. |
| Board | The Personal Data Protection Board. |
| Special Categories of Personal Data | Data revealing race, ethnicity, political views, religion, and other similar sensitive information. |
| Periodic Destruction | Recurrent deletion, destruction, or anonymization of personal data as per the data retention and destruction policy. |
| Policy | The Personal Data Retention and Destruction Policy. |
| Data Processor | A real or legal person processing personal data on behalf of the data controller. |
| Data Recording System | A system where personal data is structured according to certain criteria. |
| Data Controllers Registry Information System (VERBIS) | An information system that allows data controllers to register with the registry and perform other related operations via the internet. |
| Regulation | The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017. |
2. PROCESSING OF PERSONAL DATA
2.1 Processing of Personal Data in Compliance with Legislation
Personal data is processed in accordance with the following principles:
- Processing in Accordance with the Law and the Principle of Good Faith: Personal data is processed in compliance with the law and in a fair manner, limited to what is necessary for the purposes of the business processes.
- Ensuring that Personal Data is Accurate and Up-to-date: Necessary precautions are taken to keep the processed personal data accurate and up-to-date.
- Processing for Specific, Explicit, and Legitimate Purposes: Personal data is processed for specific and legitimate purposes within the scope of the business processes.
- Processing in a Relevant, Limited, and Proportionate Manner: Personal data is collected to the extent necessary and processed in a limited manner according to the purposes specified.
- Retaining for the Necessary Period: Personal data is retained for the period required by the relevant legislation or for the purpose for which it was processed. At the end of the retention period, personal data is destroyed in accordance with the method specified (deletion, destruction, or anonymization).
2.2 Conditions for Processing Personal Data
Personal data is processed based on the explicit consent of the data subject or in one or more of the following conditions:
- Processing Personal Data without Explicit Consent:
- Explicitly Prescribed by Law: If personal data processing is explicitly regulated by law, personal data may be processed without the consent of the data subject.
- Inability to Obtain Consent due to Actual Impossibility: If obtaining the consent of the data subject is not possible due to physical impossibility, or if the consent is invalid, the personal data may be processed to protect the life or physical integrity of the data subject or another person.
- Processing Related to the Establishment or Performance of a Contract: Personal data may be processed if it is directly related to the establishment or performance of a contract to which the data subject is a party.
- Fulfilling a Legal Obligation: Personal data may be processed to fulfill TEKNOPAK’s legal obligations.
- Personal Data Made Public by the Data Subject: Personal data made public by the data subject may be processed without the explicit consent of the data subject for the purpose of public disclosure.
- Processing for the Establishment, Use, or Protection of a Right: Personal data may be processed if it is necessary for the establishment, use, or protection of a right.
- Processing Necessary for Legitimate Interests: Personal data may be processed if it is necessary for the legitimate interests of TEKNOPAK, provided that the fundamental rights and freedoms of the data subject are not harmed.
- Processing of Personal Data with Explicit Consent: In cases where the above conditions are not met, personal data is processed with the explicit consent of the data subject.
2.3 Processing of Special Categories of Personal Data
TEKNOPAK processes special categories of personal data in accordance with the principles set out in the Law and Policy, taking all necessary administrative and technical measures determined by the Board and following the procedures below:
- Processing is explicitly prescribed by law,
- Processing is necessary to protect the life or physical integrity of a person who cannot give consent,
- Processing of personal data made public by the data subject is consistent with the purpose of public disclosure,
- Processing is necessary for the establishment, use, or protection of a right,
- Processing is necessary to fulfill legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance.
In cases where other conditions apply, “obtaining the explicit consent of the data subject” is required.
2.4 Informing the Data Subject and Obtaining Explicit Consent
TEKNOPAK informs the data subjects about the purposes for which their personal data is processed, with whom it is shared, the methods of collection, the legal reasons, and the rights they have regarding the processing of their personal data. The relevant information is provided in compliance with the law through prepared information texts (Appendix-3), such as the "Customer Information Text" (Appendix-3.1), "Supplier Information Text" (Appendix-3.2), "Employee Information Text" (Appendix-3.3), "Employee Candidate Information Text" (Appendix-3.4), "Website Cookie Information Text" (Appendix-3.5), "Camera Information Text" (Appendix-3.6), and "Card Employee Tracking Information Text" (Appendix-3.8).
The explicit consent of the data subject, including special categories of personal data, is obtained after informing the data subject through the information text.
2.5 Transfer of Personal Data
Transfer of Personal Data within the Country
TEKNOPAK transfers personal data, for the purposes of processing, to real persons, private law legal entities, private insurance companies, suppliers, authorized public institutions, and contracted service providers with whom cooperation is conducted, according to the table of "Persons to whom Personal Data is Transferred and Purposes of Transfer (Appendix-4)." Transfer is carried out in compliance with the law, for legitimate purposes, and in a limited manner.
Before transferring data, confidentiality agreements (Appendix-5) are signed to ensure data security and prevent data breaches.
Transfer of Personal Data Abroad
There is no transfer of data abroad. If data transfer abroad occurs in the future, it will be conducted in accordance with the following principles:
- Personal data may be transferred abroad if one of the following conditions is met, in addition to one of the conditions mentioned in sections 2.2 and 2.3:
- Adequacy decision exists for the country or sector in question or for international organizations.
- In the absence of an adequacy decision, appropriate safeguards (Binding Corporate Rules, Commitments, Standard Contract) are provided, ensuring the data subject has access to effective remedies in the country to which the data is transferred.
- If an adequacy decision and appropriate safeguards are not provided, data transfer abroad may only be carried out if one of the following exceptions applies:
- The data subject gives explicit consent to the transfer after being informed of potential risks.
- Data transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures at the request of the data subject.
- Data transfer is necessary for the conclusion or performance of a contract in the interest of the data subject between the data controller and another real or legal person.
- Data transfer is necessary for the public interest.
- Data transfer is necessary for the establishment, exercise, or protection of a right.
- Data transfer is necessary to protect the life or physical integrity of a person who cannot give consent due to actual impossibility.
- Data transfer is necessary based on access to a public register.
Personal data may be transferred abroad with the permission of the Board in cases where it is deemed that Turkey's or the data subject’s interests could be significantly harmed.
3. PERSONAL DATA PARAMETERS AND INVENTORY
TEKNOPAK processes personal data in various business units, including management, administrative (HR and personnel), financial (accounting), production, quality, planning, sales and marketing, warehouse, purchasing, logistics, IT (outsourced) in connection with personal data subjects, including employee candidates, employees, shareholders/partners, potential customers, suppliers, supplier employees, service recipients, and visitors. Data processing activities are carried out according to data categories and processing purposes as disclosed in TEKNOPAK’s profile on https://verbis.kvkk.gov.tr.
All personal data processing activities are conducted in accordance with the Personal Data Processing Inventory (Appendix-6). Necessary information texts, consent texts, and other documents are prepared according to the Inventory. The Inventory is updated in the event of changes to personal data.
4. MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA
TEKNOPAK takes the necessary technical and administrative measures specified in the Personal Data Retention and Destruction Policy (Appendix-7) to protect the personal data it processes in accordance with the Law. These measures include conducting audits, raising awareness, and providing necessary training to employees.
In the event that personal data is obtained by unauthorized third parties despite these measures, TEKNOPAK implements the "Personal Data Breach Response Plan" (Appendix-8).
Employees are given necessary training on personal data protection upon hiring and annually thereafter. A "Personal Data Protection Training Participation Form" (Appendix-9) is signed to confirm attendance.
TEKNOPAK creates the necessary business processes and consults experts to increase employee awareness of personal data protection. The management evaluates the results of these training sessions and updates them when necessary due to changes in legislation.
A "Employee Confidentiality Agreement" (Appendix-10) is signed with employees to ensure the confidentiality of personal data. Additionally, employees sign an "Employee Information Security Awareness Declaration" (Appendix-11) annually to remind them of key security protocols.
Annual audits are conducted using the "KVKK Audit Form" (Appendix-12), and any deficiencies identified during these audits are promptly addressed.
Security cameras are used in a way that does not infringe upon individuals' privacy and are placed only in areas necessary for achieving security objectives. No excessive monitoring takes place.
5. RETENTION AND DESTRUCTION OF PERSONAL DATA
TEKNOPAK retains personal data for the period specified by relevant legislation or for the necessary duration based on the purpose of processing. If a specific retention period is not established by law, personal data is retained for the period necessary for the purpose of processing and is then destroyed using the method specified in the Personal Data Retention and Destruction Policy (Appendix-7).
6. RIGHTS OF PERSONAL DATA OWNERS AND EXERCISING THESE RIGHTS
6.1. Rights of the Data Subject
Personal data subjects have the following rights under the Law:
- To learn whether their personal data is processed,
- To request information about the processing of their personal data,
- To learn the purpose of processing personal data and whether it is used in accordance with its purpose,
- To know the third parties to whom personal data is transferred domestically or abroad,
- To request correction of personal data if it is incomplete or inaccurate and to request that the correction be communicated to third parties to whom the personal data was transferred,
- To request the deletion or destruction of personal data under the conditions provided by the Law and to request that this be communicated to third parties to whom the personal data was transferred,
- To object to the processing of personal data exclusively by automated systems if it leads to an adverse result for the individual,
- To request compensation if they suffer damage due to unlawful processing of personal data.
6.2. Exercising the Data Subject's Rights
Personal data subjects can submit their requests regarding their rights under article 6.1. to TEKNOPAK using the methods determined by the Board. The "Data Subject Application Form" (Appendix-13) can be used for this purpose.
6.3. Responding to Applications
TEKNOPAK responds to requests from personal data subjects in accordance with the Law and other relevant legislation. Properly submitted requests are resolved within thirty (30) days at the latest, free of charge. However, if the transaction involves additional costs, a fee may be charged according to the tariff set by the Board.
6.4. Refusal of the Data Subject’s Application
TEKNOPAK may refuse the request of the data subject for the following reasons, with an explanation:
- If personal data is processed for purposes such as research, planning, and statistics after being anonymized,
- If personal data is processed for purposes such as national defense, public safety, public order, or national economic security, provided that it does not violate private life or personality rights or constitute a crime,
- If personal data is processed by authorized public institutions within the scope of their preventive, protective, or intelligence-related duties,
- If personal data is processed by judicial authorities or execution authorities in connection with legal proceedings,
- If personal data is processed for crime prevention or criminal investigation,
- If personal data is processed from publicly available information shared by the data subject,
- If personal data is processed by public institutions for audit, regulatory, or disciplinary purposes as authorized by law,
- If personal data is processed for protecting the financial and economic interests of the state in connection with budgetary or tax matters,
- If the data subject's request hinders the rights and freedoms of others,
- If the request is excessive or requires disproportionate effort,
- If the information requested is publicly available.
6.5. Right of the Data Subject to File a Complaint with the Data Protection Board
If a request is rejected, the response is deemed insufficient, or there is no response within the required time, the data subject has the right to file a complaint with the Board within thirty days after receiving the response or within sixty days of submitting the request if no response is received.
6.6. Information TEKNOPAK May Request from the Data Subject
TEKNOPAK may request additional information to verify the identity of the data subject when processing the application. TEKNOPAK may also ask the data subject questions to clarify matters related to the application.
7. ENFORCEMENT
This Policy, together with its appendices, has been approved and enacted by the Board of Directors. The Board of Directors, along with the Personal Data Protection Committee, is responsible for executing, updating, and supervising all activities related to the Law and Policy.
8. EFFECTIVENESS AND ANNOUNCEMENT
This Policy takes effect as of the date of its publication. Any changes to this Policy will be published on TEKNOPAK's website (www.bergamaplastik.com) and made available to personal data subjects and relevant parties. The changes will take effect upon announcement.
APPENDICES
- Appendix 1- Data Categories and Personal Data
- Appendix 2- Personal Data Processing Purposes
- Appendix 3- Information Texts
- Appendix 3.1- Customer Information Text
- Appendix 3.2- Supplier Information Text
- Appendix 3.3- Employee Information Text
- Appendix 3.4- Employee Candidate Information Text
- Appendix 3.5- Website Cookie Information Text
- Appendix 3.6- Camera Information Text
- Appendix 3.7- Transport Invoice Information Text
- Appendix 3.8- Card Employee Tracking Information Text
- Appendix 4- Persons to whom Personal Data is Transferred and Purposes of Transfer
- Appendix 5- Corporate Confidentiality Agreement
- Appendix 6- Personal Data Processing Inventory
- Appendix 7- Personal Data Retention and Destruction Policy
- Appendix 8- Personal Data Breach Response Plan
- Appendix 9- Personal Data Protection Training Participation Form
- Appendix 10- Employee Confidentiality Agreement
- Appendix 11- Employee Information Security Awareness Declaration
- Appendix 12- KVKK Audit Form
- Appendix 13- Data Subject Application Form
- Appendix 14- Personal Data Protection Committee Internal Directive
APPENDIX 1 - Categorical Personal Data Processing Purposes
| Protection of public health, preventive medicine, medical diagnosis, treatment, and care services |
| Execution of Emergency Management Processes |
| Execution of Information Security Processes |
| Execution of Employee Candidate / Intern / Student Selection and Placement Processes |
| Execution of Employee Candidate Application Processes |
| Execution of Employee Satisfaction and Loyalty Processes |
| Fulfillment of Obligations Related to Employment and Legal Requirements for Employees |
| Execution of Employee Benefits and Rights Processes |
| Execution of Audit / Ethical Activities |
| Execution of Training Activities |
| Management of Access Rights |
| Ensuring Compliance with Legislation |
| Execution of Finance and Accounting Processes |
| Ensuring Physical Space Security |
| Execution of Assignment Processes |
| Tracking and Execution of Legal Affairs |
| Execution of Internal Audit / Investigation / Intelligence Activities |
| Execution of Communication Activities |
| Planning of Human Resources Processes |
| Execution and Supervision of Business Activities |
| Execution of Occupational Health and Safety Activities |
| Receiving and Evaluating Suggestions for Improving Business Processes |
| Execution of Business Continuity Activities |
| Execution of Logistics Activities |
| Execution of Purchasing Processes |
| Execution of Sales Processes |
| Execution of Production and Operation Processes |
| Organization and Event Management |
| Execution of Performance Evaluation Processes |
| Execution of Advertising / Campaign / Promotion Processes |
| Execution of Risk Management Processes |
| Execution of Storage and Archiving Activities |
| Execution of Contract Processes |
| Tracking of Requests / Complaints |
| Execution of Supply Chain Management Processes |
| Execution of Compensation Policy Processes |
| Ensuring Security of Data Controller Operations |
| Execution of Talent / Career Development Activities |
| Providing Information to Authorized Individuals, Institutions, and Organizations |
| Execution of Management Activities |
APPENDIX 2 - Data Categories and Personal Data
| Data Categories | Personal Data |
|---|---|
| Identity | Name, Surname Mother-Father Name Date of Birth Place of Birth Marital Status ID Card Serial Number National ID Number Gender Information National ID Card Driver's License |
| Contact | Address Email Address Contact Address Registered Electronic Mail (KEP) Address Phone Number |
| Employment | Payroll Information Disciplinary Investigation Employment Start-Exit Records CV Information |
| Legal Procedure | Information from correspondence with judicial authorities, information in legal case files, etc. |
| Customer Transaction | Invoice Promissory Note Check Information Entry-Exit Information Order Information |
| Physical Space Security | Employee and Visitor Entry-Exit Log Information Camera Records |
| Transaction Security | Transaction Security (IP address information, website entry-exit information, password and password information) IP Address Information Website Entry-Exit Information Password and Password Information |
| Risk Management | Information processed for the management of commercial, technical, or administrative risks |
| Finance | Balance Sheet Information Financial Performance Information Credit and Risk Information Bank Account Number IBAN Number |
| Professional Experience | Diploma Information Courses Attended In-service Training Information Certificates |
| Marketing | Shopping History Information Information obtained from campaign work |
| Visual and Audio Records | Closed Circuit Camera System Image, Audio Recording |
| Health Information | Disability Status Information Blood Type Information Personal Health Information Information on Devices and Prosthetics Used Laboratory and Imaging Results Test Results Examination Data Prescription Information |
| Criminal Conviction and Security Measures | Information on criminal convictions Information on security measures |
| Family Information | Number of Children Family Card Spouse's Work Information Children's Education and Age Information |
| Employment Information | Department Work Type Profession Previous Company Information Reference Information |
| Signature Information | Wet or electronic signature, fingerprints, and special marks on personal data |
| Website Usage Data | Frequency/Times of Login to Site Last Login Date IP Address |
| Request/Complaint Management Information | Survey Data Personal data regarding the receipt and evaluation of any requests or complaints directed at the Company. |
| Reputation Management Information | Information and assessment reports created for the purpose of protecting the Company's commercial reputation. |
| Incident Management Information | Personal data processed for the purpose of taking necessary legal, technical, and administrative measures to protect the commercial rights and interests of the Company and its customers. |
| Insurance Information | Private Insurance Data Social Security Institution Data |
| Vehicle Information | Vehicle License Plate Data |
| Compliance Information | Personal data processed for compliance purposes |
| Audit and Inspection Information | Personal data processed during internal or external audit activities |
APPENDIX 4 - Persons to whom Personal Data is Transferred and Purposes of Transfer
TEKNOPAK, in accordance with Articles 8 and 9 of the Law, may transfer the personal data of participants, customers, and employees to the following categories of persons:
| Persons to whom Data May Be Transferred | Definition | Purpose and Scope of Data Transfer |
|---|---|---|
| Real persons or private law legal entities | Real or legal persons with whom business is conducted | Limited to the scope of business or transaction being conducted |
| Legally Authorized Public Institutions and Organizations | Public institutions such as the Social Security Institution, Tax Offices, etc. | Limited to the purposes required by the legal authority of public institutions |
| Contracted service providers and business partners | Entities from whom services are contracted or with whom cooperation is conducted | Limited to the terms of the contract and cooperation |
| Suppliers | Entities providing goods and services as required for commercial activities | Limited to the purposes of acquiring goods and services from external sources |
| Private Insurance Companies | Contracted Private Pension System (BES) company | Limited to notifications made within the scope of BES |