Çağdaş Makina İthalat İhracat Sanayi Tic. Ltd. Şti. (“Company”), as the data controller, the protection of personal data of its customers, employees and other natural persons with whom it has a relationship is of great importance. The process managed by this Policy and other written policies within the Company for the processing and protection of personal data and the targeted goal is to process and protect the personal data of our customers, potential customers, employees, employee candidates, visitors, employees of the organization we cooperate with, employees of the Company we are involved in and third parties in accordance with the law.
In this context, necessary administrative and technical measures are taken by the Company for the processing and protection of personal data in accordance with Law No. 6698 and the relevant legislation.
In this Policy, the following basic principles adopted by the Company for the processing of personal data will be explained:
The main purpose of this Policy is to provide explanations about the personal data processing activities carried out by the Company in accordance with the law and the systems adopted for the protection of personal data, and to provide transparency by informing our customers, employees, employee candidates, visitors, shareholders and employees of the organizations we cooperate with and third parties.
3. SCOPE OF THE POLICY
This Policy relates to all personal data of our customers, employees, employee candidates, visitors, employees of the institutions we cooperate with and third parties, which are processed automatically or non-automatically provided that they are part of any data recording system.
4. ENFORCEMENT OF THE POLICY
The policy issued by the Company has been put into effect, published on the Company’s website (www.coiltech.com.tr) and made available to the relevant persons upon the request of the personal data owners.
5. ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the KVK Law, the Company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data, unlawful access to data and to ensure the preservation of data, and conducts or has the necessary audits carried out within this scope.
5.1. Measures Taken to Ensure Lawful Processing of Personal Data
The Company takes technical and administrative measures to ensure that personal data is processed in accordance with the law, according to technological possibilities and implementation cost.
5.1.1. Technical Measures
The main technical measures taken by the Company to ensure the lawful processing of personal data are listed below:
5.1.2. Administrative Measures
Administrative measures taken by the Company for the lawful processing of personal data:
The Company conducts a Privacy Impact Assessment in the following cases:
The Privacy Impact Analysis is subject to the approval of the Company Data Protection Officer.
5.1.3. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The Company takes technical and administrative measures according to the class, nature, technological possibilities and implementation cost of the data to be protected in order to prevent disclosure, access, transfer of personal data by imprudent or unauthorized persons, data leaks within the Company systems or all other forms of unlawful access.
5.1.4. Technical Measures
The main technical measures taken by the Company to prevent unlawful access to personal data are listed below:
5.1.5. Administrative Measures
5.2. Supervision of Measures Taken for the Protection of Personal Data
There is a Personal Data Privacy Manager within the Company. The Personal Data Privacy Manager, on behalf of the Company, which is the data controller, personally conducts the necessary audits in order to ensure the implementation of the provisions of the Law in its own institution or organization in accordance with its duty arising from Article 12 of the Law and, if necessary, by obtaining support from competent organizations. According to the results of these audits, the violations, negativities and nonconformities identified are notified to the Information Security Management Representative and the Information Security Management Representative takes the necessary measures regarding these issues. In the event that an external service is received by the Company due to technical requirements for the storage of personal data, additional agreements are made with the relevant companies to which personal data are transferred in accordance with the law, and the persons to whom personal data are transferred, which include provisions that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.
In accordance with Article 13 of the KVK Law, the Company, as the data controller against the requests of the data subject, has established the Personal Data Application and Response Procedure, which is an annex to the personal data inventory, and the procedures for directing to the written template for applications that do not meet the application conditions specified in the law. Technical preparations have been made in order to take the necessary actions in accordance with these procedures. There is a systematic infrastructure within the Company to ensure the implementation of this procedure. In the event that
personal data owners submit
their requests regarding their rights listed below; by personal application with the presentation of identity card, in writing or by registered electronic mail (KEP) address, secure electronic signature, mobile signature or by using the electronic mail address previously notified to the Company by the relevant person and registered in the Company’s system or by using a software or application developed for the purpose of application, the Company will respond to the request free of charge within thirty days at the latest, depending on the nature of the request. A detailed explanation on this matter is made below in Article 20 of this policy.
Personal data owners will be able to request all rights in the relevant article of the law, including all processing processes, purposes and transfer information of their personal data with the application they will make in accordance with this procedure.
The PDP Law attaches special importance to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully. These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
The Company acts sensitively in the protection of special quality personal data determined as “special quality” by the KVK Law and processed in accordance with the law. In this context, the technical and administrative measures taken by the Company for the protection of personal data are carefully implemented in terms of special categories of personal data and necessary audits are provided within the Company.
In this context, the health data of the employees are processed due to the workplace medicine service provided within the Company, and the necessary trainings are provided to the personnel who can access this sensitive personal data, the scope and duration of the access authorization of these personnel are determined, periodic audits are carried out and confidentiality agreements are signed. In the event that the relevant personnel leave their jobs, their access authorization is immediately removed.
Physical files containing personal health data stored physically in employees’ health files are kept in locked areas accessible only by authorized personnel. No unit other than authorized personnel can access the health data of employees.
The Company ensures that the necessary trainings are organized for its employees in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data.
In accordance with Article 20 of the Constitution and Article 4 of the KVK Law, the Company carries out personal data processing activities in accordance with the law and good faith, accurate and, where necessary, up-to-date, specific, clear and legitimate purposes, in a purpose-related, limited and measured manner. The Company retains personal data for the period stipulated by law or required by the purpose of personal data processing. The Company processes personal data belonging to its customers, employees, visitors, employees of suppliers and third parties; personal data such as
identity information (name, surname, Turkish ID number, gender, age, date of birth), contact information (e-mail address, telephone number address information, IP address), vehicle information, occupational data, visual and audio data, educational data, family members data, health data and while processing this data, The Company processes personal data within the framework of the performance of contracts, fulfillment of work and financial/legal/commercial obligations, as well as ensuring that the personal data owners listed here can benefit from the Company’s services effectively, improve service diversity, provide services with the principle of “best service” for its customers and be informed about marketing and innovations as a result of these services.
The Company enlightens the data subjects in accordance with Article 10 of the KVK Law and requests the consent of the data subjects in cases where consent is required, and processes this personal data based on the following criteria.
9.1. Processing in accordance with Law and Good Faith
The Company acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In accordance with the principle of compliance with the rule of honesty, the Company takes into account the interests and reasonable expectations of the data subjects while trying to achieve its goals in data processing.
9.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
Keeping personal data accurate and up-to-date is necessary for the Company to protect the fundamental rights and freedoms of the data subject. The Company has an active duty of care to ensure that personal data is accurate and up-to-date when necessary. For this reason, all communication channels are open for the Company to keep the information of the data subject accurate and up-to-date.
9.3. Processing for Specific, Explicit and Legitimate Purposes
The Company clearly and precisely determines the purpose of processing personal data that is legitimate and lawful. The Company processes personal data in connection with and necessary for the commercial activity it carries out.
9.4. Being relevant, limited and proportionate to the purpose for which they are processed
The Company processes personal data within the scope of the purposes related to its field of activity and necessary for the execution of its business. For this reason, the Company processes personal data in a manner suitable for the realization of the specified purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed. For example, personal data processing activities are not carried out to meet the needs that may arise later.
9.5. Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
The Company retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context; The Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, if a period is not determined, it keeps personal data for the period required for the purpose for which they are processed and specified in the law. The Company takes the retention periods in the personal data inventory as basis, and at the end of the periods specified herein, personal data are deleted, destroyed or anonymized according to the nature and intended use of the data within the framework of the obligations under the Law.
The Company may transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the lawful personal data processing purposes. Personal data may be transferred by the Company to foreign countries declared by the PDP Board to have adequate protection or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the PDP Board has permission. Reasons for transfer are explained below:
In line with the legitimate and lawful personal data processing purposes of the Company, in accordance with the legitimate and lawful personal data processing purposes of the Company, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the KVK Law, by complying with the general principles specified in the KVK Law and all obligations regulated in the KVK Law, especially the principles specified in Article 4 regarding the processing of personal data, and by complying with the personal data owners within the scope of this Policy (customers, employees, visitors, third parties, third parties). The personal data in the categories specified below, limited to
the personal data owners within the scope of this Policy (customers, employees, visitors
, third parties, third parties, employee candidates, employees of the institutions we cooperate with), are processed by informing the relevant persons by
complying with the general principles specified in the KVK Law and all obligations regulated in the KVK Law.
The Company has created a personal data inventory in accordance with the Data Controllers Registry Regulation issued by the Personal Data Protection Authority. This data inventory includes data categories, data source, data processing purposes, data processing process, recipient groups to which data is transferred and retention periods. In this context, the Company’s personal data inventory includes, but is not limited to, the following types of data categories.
PERSONAL DATA CATEGORIZATION DESCRIPTION
A group of data that can be used to reach a person (phone, address, e-mail, fax number, IP address).
Data group containing information on the identity of the person (Name, surname, TRKN, mother’s name, father’s name, place of birth, date of birth, gender, wallet serial number, ID card photocopy, tax number, social security number, nationality data, marriage certificate photocopy/scan, employee card).
It is the data group containing the health information of the person (blood type, medical history, check-up result, consultation report, diet form).
It is the data group containing the person’s vehicle information (license plate number, chassis number, engine number, registration information).
The data group containing the location data of a person (GPS location).
It is the data group containing visual and auditory data of the person (photographs, voice recordings, camera recordings, photocopy/scan of driver’s license, photocopy/scan of ID card, photocopy/scan of passport).
Digital Trace Data
A data group containing digital traces resulting from the processing of personal information (Log).
It is the data group containing the financial information of the person (Bank account no, iban no, card information, bank name, financial profile, mail order form, credit rating).
Data group containing biometric/genetic data of the individual (fingerprints, genetic information, vein prints).
This is the data group containing information about the person’s occupation (information on the institution where the person works, professional chamber registration).
Data group containing the education data of the individual (Diploma grade, diploma photocopy/scan).
It is the data group containing the assets owned by the person (copy/scan of title deed, copy/scan of vehicle license).
It is the data group containing information about the person’s travels (flight information, flight card, tour route, mile card number, accommodation data).
Data for a sole proprietorship (Company address).
A data set containing data on a person’s origin and beliefs (Race/religion data).
Association membership information
This is the data group containing information about the association that the person is a member of and related to (All association memberships).
It is the data group containing the signature information of the person (wet signature, e-signature, signature photocopy/scan).
Data group containing the visa/passport information of the person (Visa information, passport photocopy/scan).
Dress Code Data
It is a data set containing distinctive characteristics of a person’s clothing (history of purchasing clothing, distinctive clothing worn).
It is a group of data on sanctions taken in the past (Criminal Prosecutions, Criminal Records, Disciplinary Records).
The Company has completed data classifications within the scope of data processing activities and based on the types of data used within the Company. In the Personal Data Inventory; as shown in the table shown above, as well as; In accordance with the ISMS Identification, Classification and Protection of Assets Instruction, Destruction Instruction, data classifications have been completed and retention periods have been determined with their justifications.
The Company processes personal data limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the KVK Law. These purposes and conditions are:
If stipulated in the relevant laws and regulations, the Company stores personal data for the period specified in these regulations. If
a period of time is not regulated
in the legislation regarding how long personal data should be kept, personal data is kept for the period required to be kept in accordance with the practices of the Company and the customs of the sector, depending on the activity carried out by the Company while processing that data, and then deleted, destroyed or anonymized in accordance with the relevant policy established by the Company in accordance with the nature of the data.
If the purpose of processing personal data has expired and the retention periods determined by the relevant legislation and the Company have expired, personal data may be stored only for the purpose of constituting evidence in possible legal disputes or for the assertion or defense of the relevant right related to personal data. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the right in question and the examples in the requests previously addressed to the Company on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.
In accordance with Article 10 of the KVK Law, the Company informs the personal data owner of the groups of persons to whom personal data are transferred.
In accordance with Articles 8 and 9 of the KVK Law, the Company may transfer the personal data of the data owners governed by this Policy to the stakeholder categories listed below:
The scope of transfer and purposes of data transfer are stated below:
Data Transfer Purpose
It defines the parties with whom the Company has established business partnerships for purposes such as carrying out various projects and receiving services while conducting its commercial activities.
Purposes for the establishment of a joint venture
Defines the parties that provide services to the Company on a contractual basis in accordance with the orders and instructions of the Company while carrying out the Company’s commercial activities.
It is transferred in a limited manner in order to ensure that the Company provides the services outsourced by the Company from the supplier and necessary to fulfill the Company’s commercial activities.
Authorized Public Institutions and Organizations
Public institutions and organizations authorized to receive information and documents from the Company according to the provisions of the legislation.
It is transferred limited to the purpose when requested by public institutions and organizations and when they provide a legal basis.
16.1. Processing of Personal Data
The explicit consent of the personal data subject is only one of the legal grounds that make it possible to process personal data in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the conditions specified in the law. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity.
Tax Legislation, Labor Legislation, Trade Legislation etc.
Employee personal information must be kept in accordance with the legislation.
Performance of the Contract
Contract of Employment, Contract of Sale, Contract of Carriage, Contract of Work, etc.
A person who is unable to give consent due to actual impossibility or who lacks the power of discernment.
Contact or address information of an unconscious person. Location information of an abducted person.
Legal Liability of the Data Controller
Financial Audits, Security Legislation,
Sharing information in audits specific to areas such as Banking, Energy, Capital Markets.
Making information about oneself available to the public.
Posting one’s contact information so that they can be reached in case of emergency.
Establishment, Protection and Exercise of Right
Mandatory data to be used for filing lawsuits, registration procedures, all kinds of title deed transactions, etc.
Retention of necessary information about a departing employee during the statute of limitations.
Provided that the fundamental rights of the data subject are not harmed, data may be processed if it is mandatory for the legitimate interest of the data controller.
Data processing for the purpose of implementing rewards and bonuses that increase employee loyalty.
ENTRIES TO THE COMPANY SERVICE BUILDING AND PERSONAL DATA CONDUCTED IN THE BUILDING
In order to ensure security, the Company carries out personal data processing activities for the monitoring of guest entrances and exits with security cameras in the Company buildings.
The Company carries out personal data processing activities by using security cameras and recording guest entrances and exits.
Within the scope of the Company’s security camera monitoring activity; It aims to protect the interests of the company and other persons to ensure the security of the company and other persons. This monitoring activity is carried out in accordance with the KVKK and the Law on Private Security Services and the relevant legislation. In this context, the information that camera surveillance is carried out is announced to all employees and visitors and people are enlightened. Notification letters are posted at the entrances of the monitored areas. In accordance with Article 12 of the KVK Law, the Company takes necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera surveillance.
17.1. Monitoring of Guest Entry and Exit at the Entrances and Inside the Company Service Building
For the purpose of ensuring security by the Company and for other purposes specified in this Policy, personal data processing activities are carried out to monitor the guest entrances and exits of the Company’s service buildings. While the identity data of the persons who come to the Company’s service buildings as guests are obtained or through the texts posted in the Company or otherwise made available to the guests, the personal data owners in question are enlightened within this scope. The data obtained
for the purpose of tracking guest entry-exit are processed only for this purpose and the relevant personal data are physically recorded in the data recording system.
17.2. Storage of Records Regarding Internet Access Provided to Visitors at the Company’s Service Building
For the purpose of ensuring security and for other purposes specified in this Policy, the Company may provide internet access to visitors who request it during their stay in the buildings and facilities. In this case, log records regarding internet access are kept in accordance with the Law No. 5651 and the mandatory provisions of the legislation regulated in accordance with this Law, and these records are processed only upon request by authorized public institutions and organizations or in order to fulfill the relevant legal obligation in the audit processes to be carried out within the Company.
Pursuant to Article 138 of the Turkish Penal Code, Article 7 of the KVK Law and the “Regulation on Deletion, Destruction and Anonymization of Personal Data” issued by the Board, personal data shall be deleted, destroyed or anonymized upon the Company’s own decision or upon the request of the personal data owner in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the relevant law. The Company has established a policy in this regard in accordance with the provisions of the regulation and makes destruction according to the nature of the data in accordance with this policy. In accordance with this regulation, a Destruction Instruction has been created by the Company within the scope of ISMS, and periodic destruction is carried out at various intervals with the commencement of the obligation.
The Company informs the personal data owner of the rights of the personal data owner in accordance with Article 10 of the KVK Law and guides the personal data owner on how to exercise these rights regulated in Article 11, and the Company carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the KVK Law in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.
19.1. Rights of the Data Subject and Exercise of These Rights
19.1.1. Rights of the Personal Data Owner
Personal data owners have the following rights:
a. To learn whether personal data is processed,
b. To request information if personal data has been processed,
c. To learn the purpose of processing personal data and whether it is used in accordance with its purpose,
d. To know the third parties to whom personal data is transferred domestically or abroad,
e. To request
correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
f. To request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and to request notification of the transaction carried out within this scope to third parties to whom personal data is transferred,
g. In the event that the
processed data is analyzed exclusively through automated systems and a result to the detriment of the person himself/herself arises, to object to this result
, h. In case of damage due to unlawful processing of personal data, to request compensation for the damage
19.1.2. Cases where the Personal Data Owner cannot assert his/her rights
Pursuant to Article 28 of the PDP Law, personal data owners cannot assert their rights listed in 20.1.1. in these matters, since the following cases are excluded from the scope of the PDP Law:
a. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,
b. Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime,
c. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,
d. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures.
Pursuant to Article 28/2 of the KVK Law; In the following cases, personal data owners cannot assert their other rights listed in 20.1.1, except for the right to claim compensation for damages:
a. Processing of personal data is necessary for the prevention of crime or criminal investigation,
b. Processing of personal data made public by the personal data owner himself,
c. Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law,
d. Processing of
data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial matters.
19.1.3. Exercise of Rights by the Personal Data Owner
Personal data owners may submit
their requests regarding their rights specified in this Policy to the Company free of charge by filling out and signing
the Application Form with the information and documents that will identify their identity and by the methods specified below or by other methods determined by the Personal Data Protection Board. Comprehensive regulation on this subject is made in the Company’s customer clarification text and details regarding the Company’s Personal Data Application request.
In order for the above-mentioned application to be accepted as a valid application, in accordance with the Communiqué on Application Procedures to the Data Controller, it
is obligatory that the relevant person;
a) Name, surname and signature if the application is in writing,
b) Turkish Republic identification number for citizens of the Republic of Turkey, nationality, passport number or identification number, if any, for foreigners,
c) Residential or workplace address for notification,
ç) Electronic mail address, telephone and fax number for notification, if any,
d) Subject of the request
. Otherwise, the application will not be considered as a valid application.
For applications to be made without filling out the application form, the issues listed here must be submitted to the Company in full. In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.
The Company has established the principles set forth in this document on the basis of policies regarding other data assets within the Company and sub-procedures for internal use on the protection and processing of personal data.
A management structure has been established by the Company to ensure compliance with the regulations of the KVK Law and the enforcement of the Personal Data Protection and Processing Policy.
The Information Security Committee has been assigned to manage this Policy and other policies related and related to this Policy within the Company in accordance with the decision of the senior management of the Company.
The duties of this Committee regarding the protection of personal data are stated below:
Explicit Consent: Consent regarding a specific subject, based on information and expressed with free will.
Anonymization: It is the modification of personal data in such a way that it loses its personal data nature and this situation cannot be reversed. For example: Masking, aggregation, data corruption, etc. Making personal data impossible to be associated with a natural person by using techniques.
Application Form: “Application Form Regarding Applications to be made to the Data Controller by the Relevant Person (Personal Data Owner) in accordance with the Law No. 6698 on the Protection of Personal Data”, which includes the application to be made by personal data owners to exercise their rights.
Employee Candidate: Real persons who have applied for a job to the Company by any means or who have opened their resume and related information.
Employees, Shareholders and Authorities of Cooperating Organizations: Natural persons working in organizations with which the Company has any kind of business relationship (such as, but not limited to, business partners, suppliers), including the shareholders and officials of these organizations.
Business Partner: Parties with whom the Company has established a business partnership for purposes such as carrying out various projects personally or together while conducting its commercial activities and receiving services.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Personal Data Owner: The real person whose personal data is processed. For example; customer, staff, supplier employee
Personal Data: Any information relating to an identified or identifiable natural person. Therefore, the processing of information on legal entities is not covered by the Law. For example; name-surname, Turkish ID number, e-mail, address, date of birth, credit card number, etc.
Sensitive Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Supplier: Parties that provide services to the Company on a contractual basis in accordance with the Company’s orders and instructions while carrying out the Company’s commercial activities.
Third Party: Natural persons (e.g. family members, former employees) whose personal data are processed within the scope of the policy, who are not defined differently within the scope of the policy.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. For example, the cloud computing company that holds the Company’s data is
the Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system). The Company is the data controller under this policy.
Deletion of Data: It refers to the situation where all relevant users within the company are encrypted in a way that prevents access to personal data and only the data protection officer has this password.
Destruction of Data: It refers to the situation where personal data is completely eliminated physically or by technological methods in a way that cannot be returned again.
Visitor: Natural persons who have entered the physical premises owned by the Company for various purposes or who visit our websites.
Çağdaş Makina Import Export Industry Tic. Ltd. Sti.
Address: Makine İhtisas O.S.B. 16. Sok. No:2 Dilovası / Kocaeli / Turkey
Uluçınar Data Department 2170390408
Mersis No: 0217039040800026
Telephone: +90 (262) 658 22 66 Fax: +90 (262) 658 22 76
INFORMATION SECURITY POLICY
– Ensuring the confidentiality and integrity of the information of our company and its customers,
– Providing the necessary infrastructure to guarantee the continuity of our company’s services,
– Taking physical and logical security measures in accordance with the value of the information owned,
– Assigning access rights in accordance with the “need-to-know” principle to control access to information and preventing unauthorized access,
– Considering security needs when developing software, –
Protecting information assets against malicious codes such as viruses and attacks that may be made in cyber environment from outside the company,
– Developing a response process against information security incidents,
– Providing information security trainings to its employees and increasing information security awareness,
– Complying with laws and regulations,
– Ensuring compliance of stakeholders with our company’s Information Security Policies,
– Complying with the principles of secure system engineering,
PERSONAL DATA PROTECTION POLICY
To process personal data in accordance with the law and honesty rules
To ensure the accuracy and timeliness of the personal data processed To
process personal data in a purpose-related, limited and measured manner To
keep personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed To ensure that
all our employees work with the awareness to take the necessary measures and pay attention to the Protection of Personal Data