PDP Policy
PDP Policy  

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

CHAPTER 1: INTRODUCTION

I. IMPORTANCE OF PROTECTION OF PERSONAL DATA

The protection of personal data is a constitutional right and is included in the scope of our Company's priorities. As a matter of fact, for this purpose, it is aimed to establish a system that is constantly updated in our Company and this policy has been established. Within the scope of the Law on the Protection of Personal Data numbered 6698, bearing the title of Data Manager,“Toyota Boshoku Türkiye Otomotiv ve Sanayi Ticaret A.Ş.” (the Company) has the obligation to generally inform and enlighten its business partners, shareholders, customers, the real or legal persons with whom it has legal relations and communication and in order to fulfill such obligation, this document has been prepared; and within the scope of this Policy, the protection of the personal data of our customers, potential customers, employees, candidate employees, company shareholders, company officials, visitors, the workers of our business partners, their shareholders and their officials as well as third persons, is regulated by main principles.

Regarding the implementation of the subjects specified in this Policy, the related procedures within the Company are regulated and special disclosure texts are being prepared, confidentiality agreements are made, the job definitions are revised, the technical and administrative measures required for the protection of personal data are taken by Toyota Boshoku Türkiye Otomotiv ve Sanayi Ticaret A.Ş. and in this scope, the required controls are carried out or ordered to be carried out. Protection of Personal Data is also taken over by the top management, and the process of protecting personal data is managed through the establishment of a special committee (Corporate PDP Committee).

II. THE PURPOSE OF THE POLICY

The main purpose of this policy is to put forth the principles regarding the personal data processing activities and regarding the protection of personal data as duly conducted by Toyota Boshoku Türkiye Otomotiv ve Sanayi Ticaret A.Ş. and to ensure transparency by informing and enlightening our customers, potential customers, employees, candidate employees, company shareholders, company officials, visitors, the workers of our business partners, their shareholders and their officials as well as third persons or anyone whose personal data is processed by our company.

III. SCOPE

This policy regards all personal data of our customers, potential customers, employees, candidate employees, company shareholders, company officials, visitors, the workers of our business partners, their shareholders and their officials as well as third persons, whose data is processed autmatically or non-automatically by being a part of any data recording system.

IV.POLICY AND RELATED LEGISLATION APPLICATION

Relevant statutory regulations in force in the processing and protection of personal data will first find application. If there is a discrepancy between the applicable legislation and the Policy, our Company agrees that the applicable legislation will prevail in practice.

V.ACCESSIBILITY AND UPDATES

The policy is published on our Company's website (http://www.toyota-boshokutr.com) and is made accessible to interested parties upon request of personal data owners and updated as necessary.

CHAPTER 2: PERSONAL DATA PROCESSING

Our company, in accordance with the article 20 of the Constitution and the article 4 of the  Law on the Protection of Personal Data, regarding the processing of personal data; in the matter of data processing, acts in accordance with the rules of law and honesty, truly and up-to-date, for defined, open and legitimate purposes; in a manner related to such purpose, with restrictions and limitations. Our company keeps personal data for as long as it is required by law or for the purpose of processing personal data.

Our company processes personal data in accordance with the article 20 of the Constitution and article 5 of the Law on the Protection of Personal Data, depending specifically on one or more of the provisions contained in the article 5 of the Law on the Protection of Personal Data, regarding the processing of personal data.

Our company processes the personal data of its employees and candidate employees for the purpose of offering job skills and the execution of the job contract, in accordance with the article 419 of the Law of Obligations and with reserve to the Law on the Protection of Personal Data numbered 6698.

In accordance with the article 20 of the Constitution and article 10 of the Law on the Protection of Personal Data, our company enlightens the owners of personal data and in cases when such owners of personal data request information and apply in order to make use of their legal rights, offers the necessary briefing and responds to the applications in their legal period.

Our company complies with the regulations envisaged for the processing of personal data of special qualities in accordance with Article 6 of the Law on the Protection of Personal Data.

Our company abides with the rules of law, as regards to the transfer of personal data, in accordance with the article 8 and 9 of the Law on the Protection of Personal Data and acts in consideration of the communiques and resolutions made by Personal Data Protection Committee and in line with the lists of secure countries.

I.PROCESSING OF PERSONAL DATA IN COMPLIANCE WITH PRINCIPLES AND RULES PRESENTED IN THE LEGISLATION

1.Principles of Processing Personal Data

A) Lawful and Integrity Processing

Our company acts in accordance with the principles of legal regulation in the processing of personal data and the principle of general trust and honesty. In this context, our Company considers the proportionality requirements in the processing of personal data and does not use personal data except as required by the purpose.

B) Ensuring the Precision of and Updating Personal Data as Required 

Our company ensures that the personal data that is being processed by considering the personal data owners’ fundamental rights and their legitimate interests, is accurate and up-to-date. It takes the necessary precautions in this direction.

C)Processing with Specific, Open and Legitimate Purposes

Our company determines the purpose of processing personal data, which is legitimate and according to the rule of law, openly and definitely. Our company processes personal data in connection with the services it offers and to the extent that is required for such services. The purpose for which the personal data will be processed is determined by our Company prior to the activity of processing.

D) Processing in Connection with the Purpose, with Limitations and Restraint

Our company processes personal data in a manner that is conducive to the achievement of the stated objectives and avoids the processing of personal data that is not relevant or not required to be performed.

E) Retaining Data for the Period Defined in the Related Legislation or Required for the Purpose of Processing

Our company retains personal data only for the period required for the purpose for which it is stated or covered in the applicable legislation. In this scope, our Company firstly determines whether there is a period for the length of which personal data can be retained as specified in the laws and if such period is provided, acts accordingly and in this scope, considers the law and penal lapse of time and retains the personal data throughout the period required for the purpose for which they are processed. In cases when such period ends and the reasons for the processing are no longer available, personal data are deleted, destroyed or anonymized by our Company.

2. Processing Rules of Personal Data with General Qualifications

The protection of personal data is a constitutional right and basic rights and freedoms may be restricted by law only in accordance with the reasons stated in the relevant articles of the Constitution, without disturbing their essence. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in the cases provided for in the law or in the open consent of the person in question. Our Company processes personal data without receiving the consent of the related individual only on the conditions below:

a) In cases when it is explicitly prescribed by law,

b) In cases when it becomes necessary for the individual who is not able to state their consent or whose consent is not legally valid, for the protection of such person’s or another person’s life and bodily integrity,

c) In cases when the processing of personal data of the parties of an agreement becomes necessary for the making and execution of such agreement,

d) In cases when it is necessary for the data manager to fulfill their liabilities,

e) In cases when it is publicized by the related individuals themselves,

f) In cases when it is obligatory for the establishment, use or protection of a right,

g) In cases when it becomes necessary for the legitimate interests of the data manager, on the condition that there will be no harm to the basic rights and freedoms of the individual in question.

In cases when the aforementioned conditions are not present, the relevant person’s consent based on informing and openness is sought by our Company.

3. Rules for the Processing of Special Personal Data

We treat personal data identified as "special" by Law on the Protection of Personal Data in accordance with the regulations set forth in the Law on the Protection of Personal Data. In Article 6 of Law on the Protection of Personal Data, some of the personal data bearing the risk of causing victimization or discrimination of persons when committed in contravention of law are designated as "special" and care must be given to the handling of such data. These are the data with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costume and clothing, association, foundation or trade union membership, health, sexual life, data regarding criminal conviction and security measures and biometric and genetic data. In accordance with the Law on the Protection of Personal Data, by our company; special personal data are processed in the following cases, provided that necessary measures are taken:

✓Personal data of the owner of the personal data and private personal data outside the sexual life and health, if provided for in the law, or if there is an explicit consent of the personal data owner,

✓The special personal data regarding the health and sexual life of the owner of personal data are processed only for the purposes of public health protection, preventive medicine, medical diagnosis, treatment and care services, planning and management of health care financing, by persons who are under obligation to keep secrets or by authorized institutions and organizations or by the open consent of the owner of personal data.

✓No matter the reasons behind it, the general data processing principles are considered during the data processing processes and compliance with such principles is ensured (Law on the Protection of Personal Data article 4; see above Chapter 2, I, 1).

4.Enlightenment and Informing of the Personal Data Owner

Our company, in accordance with Article 10 of the Law on the Protection of Personal Data, enlightens personal data owners during the acquisition of personal data. In this scope Toyota Boshoku Türkiye Otomotiv Sanayi ve Ticaret A.Ş. and if available, its representative, provides information as to the purpose of processing of the personal data, the persons to which the processed data can be submitted and the purposes of such submission, the method of personal data collection and the legal grounds of such collection as well as the rights of the personal data owner. Again, according to the article 11 of the Law on the Protection of Personal Data, among the rights of the owner of personal data is “demanding information” and our Company, in this respect, acts in accordance with the article 20 of the Constitution and article 11 of the Law on the Protection of Personal Data, and informs the individual in cases when such individual requests information.

II.TRANSFER OF PERSONAL DATA

Our company may transfer the personal data of the personal data holder and personal data of the personal data to the third persons (third party companies, group companies, third party persons) by taking the necessary security measures in line with the legal personal data processing purposes. Our company is in compliance with the regulations laid down in Article 8 of the Law on the Protection of Personal Data.

1.Principles for the Transfer of Personal Data 

In accordance with the legitimate and legal purposes of processing personal data, our Company may transfer personal data to third parties based on one or more of the personal data processing conditions specified in Article 5 of the Law, provided as below:

In cases when the personal data owner has explicit consent and depending on that consent; or

✓In cases when there is an explicit provision in the law regarding the transfer of personal data,

✓In cases when it becomes necessary for the individual who is not able to state their consent or whose consent is not legally valid, for the protection of such person’s or another person’s life and bodily integrity;

✓ In cases when the transfer of personal data of the parties of an agreement becomes necessary for the making and execution of such agreement,

✓In cases when transfer of data is necessary for the company to fulfill their legal liabilities,

✓In cases when personal data is publicized by the related individuals themselves,

✓In cases when it is obligatory for the establishment, use or protection of a right,

✓In cases when it becomes necessary for the legitimate interests of our Company, on the condition that there will be no harm to the basic rights and freedoms of the individual in question.

No matter the reasons behind it, the general data processing principles are considered during the data processing processes and compliance with such principles is ensured (Law on the Protection of Personal Data article 4; see above Chapter 2, I, 1)

2.Transfer of Special Personal Data

By taking necessary safety precautions and taking adequate measures as prescribed by the Personal Data Protection Committee, our Company may transfer the special data of the personal data owner in accordance with the legitimate and legal personal data processing purposes.

In cases when the personal data owner has explicit consent and in line with that or in cases when the explicit consent of the personal data owner is lacking;

✓ The special personal data of the personal data owner, other than the health and sexual life of such individual, (with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costume and clothing, association, foundation or trade union membership, health, sexual life, data regarding criminal conviction and security measures and biometric and genetic data), are transferred in cases when it is legally necessary,

✓ The special personal data regarding the health and sexual life of the owner of personal data are transferred only for the purposes of public health protection, preventive medicine, medical diagnosis, treatment and care services, planning and management of health care financing, by persons who are under obligation to keep secrets or by authorized institutions and organizations or by the open consent of the owner of personal data.

No matter the reasons behind it, the general data processing principles are considered during the data processing processes and compliance with such principles is ensured (Law on the Protection of Personal Data article 4; see above Chapter 2, I, 1).

3.Transfer of Personal Data Abroad

In accordance with the legitimate and legal purposes of processing personal data, our Company may transfer personal data and special personal data of the personal data owners to third parties by taking the necessary precautions of security. Our Company transfers the personal data to foreign  countries that are named by the Personal Data Protection Committee as having taken the required security precautions (“Foreign Country with Adequate Protection”) to in cases when there is lack of adequate protection, to the foreign countries for which the data managers in Turkey or in the related  foreign  country undertake that there is necessary protection and for which the Personal Data Protection Committee also has consent (“Foreign Country with Data Manager Undertaking Adequate Protection”). In this respect, Our company is in compliance with the regulations set forth in Article 9 of the Law on the Protection of Personal Data.

In line with the legitimate and legal data processing purposes, our Company may transfer personal data to Foreign Countries with Adequate Protection or to Foreign Countries with Data Manager Undertaking Adequate Protection, if the owner of the personal data has explicit consent, and if not, in the following cases:

✓In cases when there is an explicit provision in the law regarding the transfer of personal data,

✓In cases when it becomes necessary for the individual who is not able to state their consent or whose consent is not legally valid, for the protection of such person’s or another person’s life and bodily integrity;

  • In cases when the transfer of personal data of the parties of an agreement becomes necessary for the making and execution of such agreement,

✓In cases when transfer of data is necessary for the company to fulfill their legal liabilities,

✓In cases when personal data is publicized by the related individuals themselves,

✓In cases when it is obligatory for the establishment, use or protection of a right,

✓In cases when it becomes necessary for the legitimate interests of our Company, on the condition that there will be no harm to the basic rights and freedoms of the individual in question.

4. The Third Persons to Whom the Personal Data Is Transferred and Purpose of such Transfer

A)Persons to whom Data Is Transferred

In accordance with the article 10 of the Law on the Protection of Personal Data, our Company notifies the owner of personal data about the groups of individuals to which the personal data is transferred. Pursuant to articles 8 and 9 of the Law on the Protection of Personal Data, our Company may transfer the personal data to the categories of the persons listed below:

✓Toyota Boshoku Türkiye Otomotiv Sanayi ve Ticaret A.Ş. Business Partners,

✓Toyota Boshoku Türkiye Otomotiv Sanayi ve Ticaret A.Ş. Suppliers,

✓Toyota Boshoku Türkiye Otomotiv Sanayi ve Ticaret A.Ş. Main Shareholders,

✓Authorities and Institutions That Are Legally Authorized,

✓Private Legal Persons that Are Legally Authorized.

B) Purpose of Data Transfer

Being limited to the fulfillment of purposes for the establishment of business partnership,

Limited to the purpose of receiving the services that are outsourced by our Company from another resource and required for the fulfillment of the business activities of our Company, in line with the purpose of enforcement of human resources policies of our Company; for conducting the human resources operations according to the related human resources policies, for the fulfillment of liabilities in occupational health and safety and for taking the necessary precautions thereon,

According to the legislation related to our subsidiaries, shareholders, public authorities and institutions and legal persons that are legitimately authorized,

According to the legislation related to the designation of the strategies and auditing activities for the business operations of our Company,

According to the related legislation regarding the public authorities and institutions authorized to receive information and documentation from our Company,

Limited to conducting the business operations requiring the inclusion of the private legal persons that are authorized to receive information and documentation from our Company,

Limited to the designation and supervision of the strategies regarding the business operations of our Company, in line with the provisions of the related legislation,

Limited to the purpose for which it is requested within the legal authority of the relevant public institutions and organizations,

Limited to the purposes demanded by the related private legal persons within their legal authority,

In the transfers by our Company, the principles and rules regulated in this Policy are complied with.

CHAPTER 3: LEGAL BASIS AND PURPOSES FOR THE PROCESSING OF PERSONAL DATA

I. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

1.General Principles

Although the legal basis for the processing of personal data varies by our company, all personal data processing activities are carried out in accordance with general principles in Article 4 of Law No. 6698. Accordingly; for all types of data processing, the general principles of 

a) complying with the rules of law and honesty,

b) being up-to-date and correct when necessary,

c) treatment for specific, clear and legitimate purposes,

d) being connected, limited and measured with the purposes,

e) retaining for the time required for the purpose stipulated in the relevant legislation or for the purpose

are taken into consideration.

2.Reasons for Compliance with Laws

A)Explicit Consent of the Personal Data Owner

One of the conditions for the processing of personal data is the explicit consent of the owner of such data. The explicit consent of the owner of the personal data must be explained on a specific matter, on an informed basis and in free will.

B) Explicit Provisions by the Laws

The personal data of the data owner can be processed in accordance with the law if it is clearly stated in the law.

For example, the communication of the identities of our Employees to the authorities, according to the Identity Disclosure Law.

C) Failure to Receive Explicit Consent of the Related Person due to de Facto Impossibility

In cases when the processing of personal data of a person who cannot provide consent due to de facto impossibility or whose consent cannot be deemed as valid can be processed in cases when it is necessary for the protection of the life and bodily integrity of that person or another third person.

For example, providing the MD with the blood type information of a customer who is unconscious.

D) Direct Connection with the Establishment or Enforcement of an Agreement

On the condition that it is directly related to the establishment or enforcement of an agreement, in cases when the processing of personal data of the parties of the agreement becomes necessary, the processing of the personal data is possible.

For example, receiving a CV from the candidate for the establishment of the employment contract.

E) Fulfillment of a Legal Liability by the Company

The personal data of the data owner can be processed in cases when such transaction is necessary for the fulfillment of the legal liabilities of the Company as the data manager.

For example, the processing of family data of the Employee in order for the use of the Employee’s Minimum Living Allowance.

F) Publicizing of the Personal Data by the Personal Data Owner

In cases when the data owner has personally publicized their personal data, such personal data can be processed.

For example, when the customers of Toyota Boshoku Türkiye Otomotiv Sanayi ve Ticaret A.Ş. submit their complaints, demands or suggestion online on a publicly open platform, these customers are deemed to have publicized their related data. In such cases, Toyota Boshoku Türkiye Otomotiv Sanayi ve Ticaret A.Ş. official may process the data on the condition that such processing shall be limited to the purpose of responding the complaints, demands or suggestions.

G) The Necessity of Data Processing for the Establishment or Protection of a Right

If data processing is imperative for the establishment, use or protection of a right, the personal data of the data owner may be processed.

For example, the retaining of the data with evidential quality (sales agreement, bills etc.) and its use where necessary.

H) Necessity of Data Processing for the Legitimate Interest of Our Company

The personal data of the data owner may be processed if the data processing for our Company's legitimate interests is compulsory provided that the fundamental rights and freedoms of the data owner are not harmed.

For example, the surveillance of critical spots with the Company’s surveillance cameras against theft or for occupational safety.

3. The Processing of Special Data and the Reasons for Legal Compliance

By taking necessary safety precautions and taking adequate measures as prescribed by the Personal Data Protection Committee, our Company may process the special data of the personal data owner in accordance with the legitimate and legal personal data processing purposes. The special personal data regarding the health and sexual life of the owner of personal data are processed only for the purposes of public health protection, preventive medicine, medical diagnosis, treatment and care services, planning and management of health care financing, by persons who are under obligation to keep secrets or by authorized institutions and organizations or by the open consent of the owner of personal data No matter the reasons behind it, the general data processing principles are taken into account during the data processing processes and compliance with such principles is ensured (Law on the Protection of Personal Data article 4; see above Chapter 2, I, 1).

II. PURPOSES OF PROCESSING PERSONAL DATA

Our company processes personal data limited to the purposes and conditions in the personal data processing prerequisites specified in paragraph 2 of Article 5 of the Protection of Personal Data Law No. 6698 and paragraph 3 of Article 6 of the same Law. In the data processing process, the legal grounds mentioned above are taken into account and if there are no other reasons for compliance with the law, the consent of the concerned person is requested. Here too, general principles supervision is carried out under Article 4 and above all, it is sought that the data processing activity generally conforms to the lawfulness principles. The consent of the person in question is received openly and depending on transparency and free will.

In the departments of our Company, personal data can be processed for the following purposes;

-To improve, develop and diversify our products and services and to offer alternatives to legal/real persons that we are in business relationship with,

-Developing products and services, evaluating new technologies and applications and determining and implementing business and trading strategies of our Company,

-For purposes such as performing our required quality and standard inspections or fulfilling our reporting and other obligations as set forth by laws and regulations,

-In line with the aim of ensuring that our company's human resources policies are carried out; In order to carry out human resources operations in accordance with our company's human resources policies, to select employee candidates, to manage personal affairs, to determine training and career plans, to fulfill the obligations in the context of occupational health and safety and to take the necessary precautions in accordance with our company's human resources policies, 

-In order to ensure the legal and commercial security of our company and those in business relations with our company; In order to ensure the management of communication operations, the management of legal operations, the legal compliance process, the physical security and control of company locations,

-Additionally, with regulatory and supervisory agencies in the manner required or required by law, Within the scope of the requirements and obligations established to ensure compliance with the legal obligations laid down in the Law on the Protection of Personal Data,

-In the direction of the determination and application of our company's commercial and business strategies; for the purpose of the management of our Company’s communication, market research and social responsibility activities, purchasing operations (demand, offer, evaluation, order, budgeting, contract), product/project/manufacturing/investment quality processes and operations, in-house system and application management operations, financial operations and financial affairs.

CHAPTER 4: RETENTION, ERASURE, DESTRUCTION AND ANONYMIZATION OF DATA

As provided in the article 138 of Turkish Criminal Code and article 7 of the Law on the Protection of Personal Data, despite being processed according to the provisions of the related legislation, in cases when the reasons for the processing of data are no longer available, pursuant to the Company’s resolution and upon the request of the owner of the personal data, such personal data is erased, destroyed or anonymized.

I. RETENTION OF PERSONAL DATA AND PERIODS OF RETENTION

Our company keeps personal data for the period specified in the relevant legislation if it is foreseen in the related laws and legislation. If the legislation provides a duration for the retention of personal data, the personal data are processed within the term required for their processing in line with the practices of our Company and the trends of business life, based on the services offered by our Company while processing such data whereas after that term, the data is erased, destroyed or anonymized. If the purpose for the processing of personal data has ended and the terms defined by the related legislation and the company have expired; personal data may only be kept for evidence in case of possible legal disputes or for the provision of the relevant right or defense in respect of personal data. In the determination of these terms, the time lapse periods for the claim of the expired right and the claims directed to our Company despite such expirations are taken as basis and the retention periods are determined accordingly. Such personal data that are retained under such circumstances are not accessed for other purposes and they can be accessed only at times when they need to be used in legal disputes. In such cases, after the end of the term, personal data are erased, destroyed or anonymized.

II. ERASURE, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Despite having been processed in accordance with the related legislation as provided in the article 138 of Turkish Criminal Code and article 7 of the Law on the Protection of Personal Data, if the purpose for the processing of personal data has ended and the terms defined by the related legislation and the company have expired; our Company may erase, destroy or anonymize personal data. In this context, our Company fulfills its obligations with the methods specified in this chapter.

1. Erasure of Personal Data 

A) Transaction for the Erasure of Personal Data

Our Company may erase the personal data, despite the fact that such data have been processed duly according to the related laws, in cases when the reasons for such processing are no longer available, upon its own resolution or upon request of the owner of the personal data. The erasure of personal data is the transaction after which the personal data becomes inaccessible and unusable for the users. In our Company, all necessary technical and administrative measures are taken to ensure that the erased personal data cannot be accessed and reused by the relevant users.

B) Process of Erasure of Personal Data

The process to be followed in the process of erasing personal data is as follows:

  • Identification of the personal data which will be the subject of erasure.
  • Identification of relevant users for each personal data using access authorization and control matrix or a similar system.
  • Determining the authorities and methods of access, restoration, reuse, etc. of related users.
  • The access, restoration, re-use authorization and methods of personal users of the relevant users are closed and removed.

 

 

Detection of             Detection of             Detection of             Erasure of

data to                      related users             users’ methods         data (access removal)

be erased                                 of access                                                

               

 

 
  矢印: 右: Detection of 	Detection of 	Detection of 	Erasure of	
data to 		related users	users’ methods	data (access removal)
be erased 			of access

 

 

 

 

C) Personal Data Erasure Methods

Since personal data can be retained in various recording media, they must be deleted in a manner suitable for the media in which they are recorded. Examples are given below:
 

Application Service Cloud Solutions (Office 365 Salesforce, Dropbox etc): In the cloud system, the data must be erased with the delete command. During this transaction, it must be remembered that the related user is not authorized to restore data that is erased from the cloud system.
Personal Data in Hard Copy Form: The personal data in hard copy form must be erased with the use of blackout method. The blackout method is the cutting off the personal data on the related papers and in cases when that is not possible, ensuring their invisibility through using indelible ink to block the data from being viewed.

Centralized Server Files: The file must be deleted by the delete command on the operating system, or the user's access rights must be removed on the directory where the file or file is located. Care must be taken that the user is not a system administrator at the same time when the operation is being performed.

Personal Data in Portable Media: Personal data in Flash based storage media must be stored encrypted and deleted using appropriate software for these media.

Databases: Relevant rows in which personal data are stored must be deleted with database commands (DELETE, etc.). Care must be taken that the user is not a database administrator at the same time when the operation is being performed.

2. Destruction of Personal Data

A) The Transaction for the Destruction of Personal Data

Our Company may destroy the personal data, despite the fact that such data have been processed duly according to the related laws, in cases when the reasons for such processing are no longer available, upon its own resolution or upon request of the owner of the personal data. Destroying personal data is the process of making personal data inaccessible, irretrievable and irrevocable by anyone. The Data Manager is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

B) Personal Data Destruction Methods

For the destruction of personal data, all copies of the data must be identified and the systems in which the data are stored should be destroyed individually using one or more of the following methods:

a)Local Systems: One or more of the following methods may be used to destroy the data on such systems. i) De-magnetizing: It is a process in which a magnetic medium is passed through a special device and exposed to a magnetic field of a very high value, whereby the data on the magnetic medium is unreadable. ii) Physical Destruction: Physical destruction of optical and magnetic media, such as melting, burning, or dusting. It is ensured that the data can not be made accessible by processes such as melting, burning, pulverizing, or passing through a metal mill, optical or magnetic media. If overwriting or de-magnetizing is not successful for solid-state disks, then this media must also be physically destroyed. iii) Overwrite: It is a process to avoid saving the old data by writing random data consisting of 0 and 1 over the magnetic media and rewritable optical media at least seven times. This process is done using special software.

b) Peripheral Systems: Destruction methods that may be used depending on the media type are as follows: i) Network devices (switch, router, etc.): The storage media inside these devices are fixed. Products often have a delete command, but no destructive feature. it must be destroyed by using one or more of the appropriate methods mentioned in (a) ii) Flash-based environments: Using flash-based hard drives with ATA (SATA, PATA, etc.), SCSI (SCSI Express, etc.) interfaces, using the <block erase> command if supported, using the manufacturer's suggested destruction method if not supported, must be destroyed using one or more of the appropriate methods specified in (a). iii) Magnetic tape: The data are stored in the flexible tape with the help of micro-magnet pieces. It must be destroyed by exposing it to very strong magnetic media and de-magnetizing it or by physical destruction methods such as burning and melting. iv) Magnetic disk-like units: Data are stored on flexible (plate) or with the help of micro-magnet pieces on stationary media. It must be destroyed by exposing it to very strong magnetic media and de-magnetizing it or by physical destruction methods such as burning and melting. v) Mobile phones (Sim card and fixed memory areas): There is a delete command in the fixed memory areas of the mobile smartphone, but there is no command to destroy it in the majority. it must be destroyed by using one or more of the appropriate methods mentioned in (a). vi) Optical discs: Data storage media such as CDs and DVDs. It must be destroyed by physical destruction methods such as incineration, small fractionation, melting. vii) Peripherals such as a printer with a recordable media removable, a fingerprint door access system: All data recording media must be verified to be dismantled and destroyed using one or more of the appropriate methods described in (a). viii) Peripherals such as a printer with a fixed data recording medium, a fingerprint door access system: Such systems have a plurality of erase commands, but no erase commands. it must be destroyed by using one or more of the appropriate methods mentioned in (a).

c) Paper and Microfiche Media: Since the personal data in such media are permanently and physically written on the media, the media must be destroyed. When this is done, it is necessary to divide the medium into small pieces so that it cannot be combined back and forth horizontally and vertically, if possible, in incomprehensible size with paper destruction or clipping machines. The original paper must be destroyed by using one or more of the appropriate methods specified in (a) according to the electronic medium in which they are submitted, and the personal data transmitted electronically through screening.

d) Cloud Environment: When storing and using personal data contained in said systems, it is necessary to use encryption keys separately for cryptographic methods and for individual data, especially for each cloud solution served, wherever possible. When cloud computing service relationship ends; all copies of the encryption keys required to make personal data available must be destroyed. In addition to the above environments, the destruction of personal data contained in devices that fail or are referred to is carried out as follows: (i) The personal data contained in (a) before transferring to third parties such as manufacturer, dealer, ii) Dismantling and storage of the data storage medium when the destruction is not feasible or appropriate, sending the defective parts to third parties such as manufacturer, dealer and service, iii) External maintenance, repair, etc. necessary precautions must be taken in order to prevent the personnel who come for the purpose of copying the personal data out of the institution.

3. Anonymization of Personal Data

A) Transaction for the Anonymizing of Personal Data

Anonymization of personal data means that in no case can personal data be linked to a specific or identifiable real person, even if personal data is matched with other data. Our company can anonymize personal data when the reasons for processing personal data processed in accordance with the law are no longer available. For the anonymity of personal data; personal data should be delinked with any real person with clear or unclear identity even with the methods where convenient techniques are used for the recovery of personal data and/or their being matched with other data, by the data manager or receiver groups. Our company takes all kinds of technical and administrative precautions to make personal data anonymous.

In accordance with Article 28 of the Law on the Protection of Personal Data; anonymized personal data may be processed for purposes such as research, planning and statistics. Such transactions are outside the scope of the Law on the Protection of Personal Data and will not seek the explicit consent of the personal data owner.

B) Methods for the Anonymization of Personal Data

Anonymization is the removal of the identity of the person concerned, by removing or changing all direct and / or indirect identifiers in a dataset, or the loss of the ability to be distinguished within a group or crowd, so that it cannot be associated with a real person. Any data that does not point to a particular person as a result of blocking or losing these properties is considered anonymous data. In other words, anonymized data is the information that identifies a real person before this transaction is made, and after this process, it can no longer be associated with the person concerned, and the contact is disconnected. The goal of anonymizing is to break the link between the data and the person identified by that data. The methods of anonymizing all of the link breaking operations carried out by methods such as automatic or non-grouping, masking, derivation, generalization, randomization applied to records in the data recording system in which the personal data are held are called. As a result of applying these methods, the data obtained should not be able to identify a specific person.

Examples of anonymization methods that can be taken as examples are shown in the table below:

Anonymization Methods that do not provide value irregularity

• Removing Variables
• Removing Records
• Lower and Upper Limit Coding • Partial Hiding
• Sampling

Anonymization Methods Providing Value Irregularity

• Micro Combination • Data Exchange • Adding Noise
• Re-Sampling

Statistical Methods Supporting Anonymization

• K-Anonymity • L-Diversity
• T-Affinity

 

 

Anonymization Methods that do not provide value irregularity: In methods that do not provide value irregularity, a change or addition or subtraction operation is not performed on the values that the cumulative data has, but instead the whole row or columns in the set are modified. Thus, while there are changes throughout the data, the values in the fields retain their original state.

a. Removing Variables

It is an anonymization method provided by removing one or more of the variables from the table entirely by deleting. In such a case, the entire column of the table will be completely removed. This method can be used reasonably when a variable is a high-level identifier, a more suitable solution does not exist, the variable is too sensitive to be disclosed to the public, or it does not serve analytical purposes.

b. Removing Records

In this method, anonymity is enhanced by extracting a row containing singularity in the data set, reducing the possibility of making assumptions about the data set. Generally, records that are extracted are the records that have no common value with other records and can be easily guessed by people who have an idea about the data set. For example, in a data set of survey results, only one person from any industry is included in the survey. In such a case, if you want to subtract the "sector" variable from the results of all the surveys, you may prefer to only make a record of this person.

c. Partial Hiding

The goal of partial hiding is to make the data set more secure and reduce the risk of predictability. If the combination created by the values ​​of a particular record creates a slightly visible condition and this can most likely cause the person to become distinguishable in the community, the value that creates the exception is changed to "unknown".

d. Generalization
It is the transaction of transforming the related personal data from a private value into a general value. It is the method that is most popularly used in the production of cumulative reports and in the operations carried out over general figures. The resulting new values represent aggregate values or statistics of a group making it impossible to reach a real person. For example, a person with the ID number 12345678901 has bought diapers from an e-trade platform and also bought wet tissues. In the transaction of anonymization to be carried out, the generalization method  is used and a  conclusion can be reached that the persons that buy diapers from the e-trade platform also buy wet tissues by xx%.
 

e. Lower and Upper Limit Coding

The upper and lower limit coding method is achieved by defining a category for a certain variable and combining the values within the grouping created by this category. Generally, a low or high value of a certain variable is put together and these values are advanced by a new definition.

f.  Global Coding

The global coding method is a grouping method used in data sets having values that do not contain numeric values or numerical values that cannot be applied to upper and lower bound encoding. It is often used when certain values are tricky to make predictions and assumptions easier to execute. By creating a new common group for the selected values, all records in the data set are replaced by this new definition.

g. Sampling

In the sampling method, a subset taken from the set is explained or shared instead of the whole data set. This reduces the risk of generating accurate estimates of the persons, since it is not known whether a person known to be in the entire data set is included in the disclosed or shared sample subset. Simple statistical methods are used in determining the sub-cluster to be sampled. For example; It may be meaningful to scan and predict the data set of a woman known to be living in Istanbul if an anonymous data set on the demographic information, occupation and health status of women living in Istanbul is made anonymous or shared. However, in the relevant data set, only the records of women that are registered in Istanbul are left and those who are registered in other provinces are extracted from the data set and therefore anonymization is applied and even when the data is disclosed or shared, the malicious person that gets access to the data cannot estimate whether the registry of a woman that they know to be living in Istanbul is actually also in Istanbul and therefore, they cannot make a reliable estimation whether the data about this woman that they know is included in the data that they currently have in hand.

Anonymization Methods Providing Value Irregularity

Unlike the methods described above that provide value irregularity, the values ​​of the data set are changed by changing the existing values. In this case, since the values ​​carried by the records are changing, the benefit calculated from the data set needs to be calculated correctly. Even if the values ​​in the dataset are changing, it is still possible to continue to provide benefit to the victims by ensuring that the total statistics are not distorted.

a. Micro Combination

With this method, all entries in the data set are sorted first in a meaningful order, and then the whole set is subdivided into a certain number of subsets. Then, the value of each variable belonging to each sub-set is taken as a mean value and the value of the sub-set is changed to the mean value of that variable. Thus, the average value of that variable for the entire data set will not change.

b. Data Exchange

The data exchange method is a record change obtained by exchanging values ​​of a variable sub-set between pairs selected from among the records. This method is mainly used for variables that can be categorized and the main idea is to convert the database by changing the values ​​of the variables between the records of the individuals.

c. Adding Noise

This method adds and subtracts in order to provide distortion in the selected dimension in a selected variant. This method is often applied to data sets with numeric values. Distortion is applied equally at each value.

Statistical Methods Supporting Anonymization

As a result of the combination of some of the values in the records within the data sets that are already anonymized through singular scenarios, it could be possible that the identities of the persons in the records are detected or assumptions are made about their personal data.
For this reason, anonymity can be strengthened by minimizing the uniqueness of the records in the dataset by using various statistical methods in anonymized data sets. The main purpose of these methods is to minimize the risk of corruption of anonymity and to keep the benefit of the data set at a certain level.

a. K-Anonymity

In anonymized data sets, if the indirect identifiers are combined with the right combinations, the identities of the people in the records can be detected, or the information about a certain person can easily be estimated. To this end, data sets anonymized with various statistical methods have to be brought to a more reliable state. K-anonymity has been developed to prevent the identification of more than one person by specific fields in a data set, and to reveal individual characteristics of particular combinations within certain combinations. If there is more than one record of the combinations created by combining some of the variables in a dataset, the probability that the identities of the persons corresponding to this combination being detectable is reduced.

b. L-Diversity

The L-diversity method which is formed by the studies carried out on the deficiencies of the K-anonymity takes into consideration the diversity of the sensitive variables which correspond to the same variable combinations.

c. T-Affinity

Although the L-diversity method provides diversity in personal data, there are cases in which the method does not provide sufficient protection because it is not concerned with the content of personal data and its degree of sensitivity. The process of anonymization of the data sets through their sub-classification according to the degrees of affinity of personal data, after the calculation of the affinity among them is called the T-affinity method.

Selection of Anonymization Method

Our company decides which of the above methods will be applied by looking at the data on its hand and considering the following characteristics of the data set;

● The nature of the data,
● The size of the data,
● The available structure of the data in physical environments,
● The diversity of data,
● The benefit expected from the data and the purpose of processing,
● Frequency of the data’s processing,
● Reliability of the party to which the data will be transferred,
● The meaningfulness of the efforts to be made for the anonymization of the data,
● The size and impact area of the damage that may occur in cases when the anonymity of the data is corrupted,
● The peripherality/centrality ratio of the data,
● The access authorization control of users in accessing the data and
● The possibility that an attack is designated to corrupt anonymity and the possibility of meaningfulness of the efforts made for the actualization of the attack.

During the anonymization of data, our Company checks whether such data is able to define a person, through agreements and risk analyses, with the data transferred to the other organizations and the use of public data.

Anonymity Guarantee

When our Company decides to anonymize personal data instead of erasing or destroying it,  special attention is paid in order to prevent

the corruption of the anonymity of an anonymized data set through its combination with another data set, the establishment of a meaningful whole in a way to make one or more values singular and the values within the dataset that are anonymized from merging with one another and becoming capable of producing assumptions or conclusions. Our Company carries out inspections on the anonymized data sets as the specifics noted in this article change and it is made sure that anonymity is preserved.

Risks Related to the Corruption of Anonymization by Reverse Transaction of Anonymous Data

Since anonymization is the process of applying personalized data and destroying the distinguishing and identifiable properties of the data set, there is the risk of reversing these transactions intermittently, and the risk of the anonymized data becoming re-identifiable and identifiable for real persons. This is expressed as a corruption of your anonymity. Anonymization can be achieved only by manual operations, or by hybrid operations consisting of auto-developed operations or a combination of both transaction types. It is important, however, that measures have been taken to prevent anonymity from being corrupted by new users who have access to or are able to access the anonymized data after it has been shared or disclosed. The operations that are consciously conducted regarding the deterioration of your anonymity are called "attacks aimed at deterioration of your anonymity". In this context, it is investigated whether the anonymized personal data of our Company is reversed by various interventions and whether there is a risk that the anonymized data becomes re-identifiable and the real persons become distinctive.

CHAPTER 5: DATA OWNER’S RIGHTS

I. THE SCOPE OF THE RIGHTS OF THE DATA OWNER AND THE USE OF THESE RIGHTS

1. Personal Data Owner Rights

Owners of personal data have the rights below:
✓To learn whether personal data is processed,
✓To request information about personal data if it has been processed,
✓To learn the purpose of processing personal data and whether they are used appropriately for their purpose,

✓To know the third parties to which personal data are transferred in the country or abroad,

✓Requesting correction of personal data if it is incomplete or incorrectly processed and requesting that the process carried out within this scope be notified to the third party to whom the personal data is transmitted,

✓Despite the data’s being processed according to the Law on the Protection of Personal Data and other relevant legislation, in cases when the reasons for such processing are no longer available, requesting the erasure or destruction of personal data and  requesting that the process carried out within this scope be notified to the third party to whom the personal data is transmitted,

✓Objecting against the emergence of any situation against themselves as a result of the analysis of their processed information exclusively through automated systems,

✓Claiming compensation for any damages due to the illegal processing of personal data.

2. Use of Rights by the Personal Data Owner

It is sufficient for the data owners to communicate to our Company their demands for using their aforementioned rights within the scope of the paragraph 1 of the 13th article of the Law on the Protection of Personal Data, by using the following methods;

Method of Application

Address of Application

Information to be Included in Application

Personally

Application (personal and physical application by the application owner containing documents representing their actual identity)

1. Organize Sanayi Bölgesi 54580 Arifiye / SAKARYA

On the envelope, the following expression shall be included: “Request for Information within the Scope of the Law on the Protection of Personal Data”.

Notary Notification

 

On the envelope of the notification, the following expression shall be included: “Request for Information within the Scope of the Law on the Protection of Personal Data”.

With “Secure E-signature” and through Registered Electonic Mail (REM)

toyotaboshokuturkiyeotomotiv@hs01.kep.tr

On the subject of the e-mail, the following expression shall be included: “Request for Information within the Scope of the Law on the Protection of Personal Data”

 

 

 

In such applications, it is necessary to include;

Name, surname and signature if the application is in writing, Turkish Republic ID number for citizens of the Republic of Turkey, the country of origin, passport number or ID number for foreign nationals, the address of domicile for notifications or business address, e-mail address for communications if available, telephone and facsimile number, subject of request. The documents related to the subject will also be added to the application.

It is not possible for third parties to make claims on behalf of personal data owners. In order for a person other than the owner of the personal data to file a request, a special power of attorney must be issued by the personal data owner in the name of the person that applies for the matter. In the application that you will be making according to your rights as the owner of personal data and in order to make use of your aforementioned rights and that will also contain your explanations regarding the right that you demand to make use of; it is necessary that your request is clearly and  apprehensibly outlined and the subject that you request is directly about you and in cases when you are acting on behalf of another person, that you document your authorization and that your application contains your identity and address information and that documents representing your identity are annexed to such application.

In this context, the applications will be concluded within the shortest possible time period and maximum 30 days. Such applications are free of charge. However, if the transaction also requires a cost, a fee may be charged at the rate specified in the Personal Data Protection Committee.

It is not possible for third parties to make requests on behalf of personal data owners. In order for a person other than the owner of the personal data to file a request, a special power of attorney must be issued by the personal data owner in the name of the person that applies for the matter.

3. Toyota Boshoku Türkiye Otomotiv Sanayi ve Ticaret A.Ş.’s Responding to the Applications

In the event that the personal data owner submits the request to our Company in accordance with the prescribed procedure, the Company shall conclude the request as soon as possible and within thirty days at the latest according to the nature of the claim. However, if the transaction also requires a cost, our company will charge the fee as specified by the Personal Data Protection Committee from the applicant. Our company may request information from the person concerned in order to determine if the applicant has personal data. Our company may address questions relating to the application of personal data to clarify what is in the applicant's personal data.

CHAPTER 6: ENSURING THE SECURITY OF PERSONAL DATA

I.TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE LAWFUL PROCESSING OF PERSONAL DATA

Our company takes all the technical and administrative measures necessary to ensure that personal data are processed in accordance with the law. Within this scope,

✓Within our company, data inventory compatible with the VERBIS system is being implemented (Data Mapping), where legal and expediency  checks are carried out.

✓Employees are informed about the protection of personal data, legal and personal data processing in accordance with law.

✓All activities carried out by our company are analyzed in detail in all business units and personal data processing activities are carried out in the context of the business activities carried out by the related business units as a result of this analysis.

✓The personal data processing activities carried out by the departments of our Company and the requirements for ensuring the compliance of such activities with the conditions of personal data processing set forth in Law no 6698 are determined according to each department and the detailed activity carried out by that department.

✓The contracts and instruments regulating the legal relationship between our Company and the employees include conditions setting forth liabilities for not processing, disclosing and using personal data, with the exception of the orders of the company and the exceptions by law and awareness is raised among the employees regarding this subject and controls are also carried out.

II. TECHNICAL AND ADMINISTRATIVE MEASURES IN THE PROCESSING OF SPECIAL DATA

Particular emphasis has been given to the protection of personal data by Law on the Protection of Personal Data because of the risk of victimization or discrimination of persons when they are committed in contravention of the law. These are the data with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costume and clothing, association, foundation or trade union membership, health, sexual life, data regarding criminal conviction and security measures and biometric and genetic data. Our company is sensitive to the protection of special personal data which is defined as "special" with the law and processed in accordance with the law with Law on the Protection of Personal Data. In this context, the technical and administrative precautions taken by our Company for the protection of personal data are implemented with care on special personal data and required controls are provided under Toyota Boshoku Türkiye Otomotiv Sanayi ve Ticaret A.Ş. In this scope;

✓For the security of the special personal data a separate policy and procedure that is systematic, has clarified rules, that is manageable and sustainable is being prepared,

✓Regular training is provided for the employees involved in the process of processing personal data of special nature, in accordance with the Law and related regulations and personal data security of special nature, privacy agreements are made, the powers and durations of users with access authority to the data are clearly defined, Periodically, authority checks are carried out, the authorities of officials in this area who have a duty change or leave the job are immediately removed and within this scope, the inventory assigned to that person by the data officer is also taken back.

✓If the media where special personal data are processed, maintained and/or accessed are electronic, the data is stored using cryptographic methods, cryptographic keys are stored on secure and different media, the transaction logs of all transactions performed on the data are logged securely, the security updates for the media where the data are stored are constantly monitored, necessary security tests are conducted and/or ordered to be conducted on a regular basis, test results are recorded. If the data is accessed via a software, the user's authorization for this software is made, security tests of these softwares are done/ordered to be done regularly, test results are recorded. At least two-step verification system is provided if remote access to the data is required.

✓If the media where special personal data are processed, maintained and/or accessed are physical, it is ensured that adequate safety precautions are taken according to the characteristics of the media where the special personal data are stored (against electricity leak, fire, flood, theft etc) and the physical safety of these environments is ensured and unauthorized entrances and exits are prevented.

✓If personal data is to be transferred via e-mail, the data must be encrypted using the corporate e-mail address or using a Registered Electronic Mail (REM) account and using cryptographic methods if it is to be transferred via media such as portable memory, CD or DVD, and transferring between servers in different physical environments is accomplished by establishing a VPN between the servers or transferring data using the sFTP method. If the data need to be transferred via paper media, necessary precautions are taken against risks such as the theft of documents, loss or unauthorized disclosure, and the documents are sent in "confidentiality documents" format..

✓In addition to the precautions mentioned above, technical and administrative precautions to ensure the appropriate level of safety specified in the Personal Data Security Guideline published on the website of the Personal Data Protection Agency are also considered.

III. TECHNICAL AND ADMINISTRATIVE PRECAUTIONS AGAINST ILLEGAL ACCESS TO PERSONAL DATA

Our Company takes technical and administrative precautions in order to prevent imprudent or unauthorized disclosure, access, transfer or otherwise illegal access of personal data.

1. Technical Precautions against Illegal Access to Personal Data

The main technical precautions taken by our Company to prevent illegal access to personal data are listed below:

A) Ensuring Cyber Security

To ensure personal data security, cyber security products are primarily used, but the measures are not limited to this. The first defense line against attacks from the internet such as the firewall and the measures such as the gateway is formed. However, almost all software and hardware are subject to certain set-up and configuration processes. As a matter of fact, unused software and services are removed from the devices, taking into account that some commonly used software, especially older versions, may have documented security vulnerabilities. For this reason, erasure of unused software and services instead of being kept up to date, is preferred for convenience.

B) Software Updates

Patch management and software updates ensure that software and hardware are functioning properly and that security measures taken for systems are adequate.

C) Access Restrictions

Access to systems containing personal data is also limited. In this context, employees are granted access rights to the extent that they are required to perform their duties and responsibilities, as well as their authority and responsibilities, and access to related systems is ensured through the use of usernames and passwords. When passwords and encryptions are created, it is preferable to use combinations of uppercase letters, numbers, and symbols instead of numeric or alphanumeric strings associated with personal information and easily guessed. Accordingly, an access authorization and control matrix is established.

D)Encryption

In addition to the use of strong passwords and encryptions, restriction of access is ensured by limiting the number of password entry attempts to protect against common attacks, such as the use of brute force algorithms (BFA), ensuring that passwords and encryptions are changed at regular intervals, opening the administrator account and admin authority for use only when needed, deleting the account or closing the entries without losing time for the employees.         

E)Anti-Virus Software

In order to protect against malicious software, antivirus, anti-spam products that regularly scan the information system network and detect danger are used, and these files are kept up to date and the necessary files are scanned regularly. If personal data is provided from different websites and/or mobile application channels, it is ensured that the connections are made via SSL or a more secure way.

F)Monitoring of Personal Data Security

Controlling which software and services work in the information networks,

Determining whether there is an infiltration or not in the information networks,

Regular maintenance of transaction logs of all users (such as log records)

Reporting security problems as quickly as possible,

are the activities conducted on this basis. Additionally, to enable the employees to report the security gaps in the systems and services and the threats that are making use of such gaps, an official reporting procedure is also being prepared.

Evidence is collected and securely stored in unwanted cases such as computer system crashes, malicious software, an out-of-service attack, incomplete or incorrect data entry, breaches of confidentiality and integrity, misuse of the information system.

G) Ensuring the Security of Personal Data Media

 

Physical security measures are taken against threats such as theft or loss of the devices and papers if personal data is stored on these devices located in the campus of data providers or on paper.

The physical environment in which personal data are stored is protected by external methods (fire, flood, etc.) with appropriate methods and the entrances/exits are controlled under these circumstances.

In cases when the personal data are on electronic media, in order to prevent personal data security breach, access among network components is restricted or the components are left out. For example, in cases when the used network is restricted for this purpose, and personal data are processed in this part of the network, the existing resources can be allocated for ensuring the security merely of that part rather than the entire network.

Measures at the same level are also taken for paper media, electronic media and devices outside the Company's campus that contain personal data belonging to the Company. As a matter of fact, although the breaches of personal data security often emerge due to stolen and lost devices containing that personal data (such as laptop computers, mobile phones, flash discs etc.), the personal data to be transferred via electronic mail or mail are also sent carefully and through taking the necessary precautions.

In cases when the employees get access to the information systems network through their personal electronic devices, adequate security precautions are also taken for these.

Access control, authorization and / or encryption methods are applied to situations such as loss or theft of devices containing personal data. In this context, the password key is stored only in the authorized access area and unauthorized access is prevented.

Paper-based documents containing personal data are also kept locked and only accessible to authorized persons, which prevents unauthorized access to the paperwork.

H) Storage of Personal Data on Cloud Services

In the event that personal data is stored in the cloud, the Company must assess whether the security measures taken by the cloud storage service provider are adequate and appropriate. In this context, two levels of identity verification control are applied for remote access when data is needed, to ensure that the details of the personal data stored in the cloud are known in detail, backed up, synchronized. During the storage and use of the personal data in these systems, separate encryption keys are used in each cloud solution in cases where cryptographic encryption, encrypted transfer to cloud media are available for personal data. When cloud computing service relationship ends; all copies of the encryption keys that can be used to make personal data available are destroyed.

I) Supply, Development and Maintenance of Information Technology Systems

The security requirements are taken into account when determining the needs of the company to procure, develop or improve existing systems.

J) Backup of Personal Data

In cases such as personal data being damaged, destroyed, stolen or lost due to any reason, the Company provides operating data as soon as possible by using the backed up data. Backed up personal data is only accessible by the system administrator, and the dataset backups are kept out of the network.

2. Administrative Precautions to Prevent Illegal Access to Personal Data

The main administrative precautions taken by our Company to prevent illegal access of personal data are listed below:

✓Employees are informed and trained on the technical measures to be taken to prevent unlawful access to personal data.

✓Employees are informed that personal data they learn will not be disclosed to anyone other than in accordance with the provisions of the Law on Protection of Personal Data and will not be used for purposes other than for the purpose of processing, and that this obligation will continue after leaving the job and necessary commitments are taken accordingly.

✓Personal Data Security Policies and Procedures are determined; checks are made regularly within the scope of these policies and procedures, the controls are documented and the issues to be improved are determined.Again, the risks that may arise for each personal data category and how to manage security breaches are clearly defined.

✓Reduction of Personal Data as Possible: Personal data must be kept accurate and up-to-date, as long as necessary for the purpose foreseen in the relevant legislation or for the purpose of processing, in accordance with subparagraphs (b) and (d) of the second paragraph of Article 4 of the Law. However, it is assessed whether there is still a need for data that is not correct, has lost its update and serves no purpose, and any unnecessary personal data is deleted, destroyed or anonymized by a personal data storage and destruction policy.

✓Management of Relationships with Data Processors: When the company receives service from the data processors to meet its IT needs, it is acted upon making sure that the data processors have at least the security level provided by them when they receive the service. Within this scope, it is ensured that the agreement signed with the data processors is in writing and contains provisions to make sure that solely the data manager of the data processor shall act in accordance with the personal data protection legislation and that such agreement is in compliance with the Personal Data Retention and Destruction Policy; that the data processor will be subject to the liability of discretion without time period limitation and that in case of any breach of data security, the data processor is obliged to notify the data manager about that situation. In addition, to the extent that the nature of the contract between the parties allows, it is provided that the categories and types of personal data transferred by the Company in the data processing are specified in a separate article. Again, on the system that contains the personal data, the Company will make the required investments and may also view the reports composed as a result of the inspection it will be ordering and may also make an on-site inspection on the service provider. The contracts concluded with the persons to whom personal data are transferred in accordance with the law by our company; provisions shall be added to ensure that the persons to whom the personal data are transferred shall take the necessary security measures in order to protect personal data and that these measures shall be adhered to in their own institutions.

RETENTION OF PERSONAL DATA IN SECURE ENVIRONMENTS

Our company takes the necessary technical and administrative precautions according to the technological facilities and the implementation cost to prevent personal data from being stored in non-secure environments and to be destroyed, lost or changed by unlawful purposes.

1. Technical Precautions for the Retention of Personal Data in Secure Environments

The main technical precautions taken by our Company to retain personal data in safe environments are listed below:

✓Systems suitable for technological development are used to store personal data in secure environments.

✓Technical security systems for hiding areas are established and the technical measures taken are periodically inspected by the inspection mechanism determined by our Company and the necessary technological solutions are produced by reassessing the risk factors.

✓All necessary infrastructures are used in accordance with the law in order to ensure that personal data is securely stored.

2. Administrative Precautions for the Retention of Personal Data in Secure Environments

The main administrative precautions taken by our Company to retain personal data in safe environments are listed below:

✓Employees are instructed to ensure that personal data is stored securely.

✓In cases when our Company outsources the retention of personal data due to technical necessities, in the agreements made with the companies to which the personal data are duly transferred, provisions are added to make the persons that receive such personal data shall take the necessary precautions for the protection of personal data and also ensure the compliance with such precautions in their organizations.

V. TRAINING

✓Our Company provides the necessary training to its employees regarding the protection of Personal Data within the scope of the Policy and Procedures of Personal Data Protection and the regulations of the Law on the Protection of Personal Data.

✓In the training sessions, the definition of Special Personal Data and their protection are especially highlighted.

✓If our employee accesses the Personal Data either physically or on a computer basis, our Company will train the relevant employee for these accesses specifically (for example, the accessed computer program).

VI. RAISING AWARENESS AMONG AND INSPECTION OF DEPARTMENTS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our Company ensures that necessary notifications are made to the departments in order to raise awareness for preventing the illegal processing of personal data and access to data illegally as well as for providing the retention of data.

VII. RAISING AWARENESS AMONG AND INSPECTION OF BUSINESS PARTNERS AND SUPPLIERS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our Company ensures that necessary notifications are made to the business partners in order to raise awareness for preventing the illegal processing of personal data and access to data illegally as well as for providing the retention of data.

VIII. INSPECTION OF THE PRECAUTIONS FOR THE PROTECTION OF PERSONAL DATA

Our Company has the right to inspect the Policy and the Regulations at any time and without any prior notice on a regular basis that all employees, departments and contractors of the Company are acting appropriately and within this scope to perform or carry out the necessary routine inspections. These inspection results are evaluated within the Company's internal operations and necessary actions are taken to improve the precautions taken.

Precautions to be Taken in Case of Unauthorized Disclosure of Personal Data

Our Company operates the system that ensures reporting to the Personal Data Protection Committee and the owner of personal data in cases where the personal data are obtained through illegal means by third persons after they were originally processed in accordance with the article 12 of the Law on the Protection of Personal Data.