Access, Information Security and Usage Policy of Personal Data

INDEX
1.INTRODUCTION 
2.CATEGORIZATION OF PERSONAL DATA 
2.1. Personal Data 
2.2. Sensitive Personal Data 
3. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA 
3.1. Processing in compliance with Law and Fairness 
3.2. Ensuring that Personal Data is Accurate and Up-to-date when necessary 
3.3. Processing for specified, explicit and legitimate purposes 
3.4. Being relevant, limited and proportionate to the purposes for which they are processed 
3.5. Storage of Personal Data for the period stipulated by legal regulations and during Commercial Requirements 
4. PURPOSES FOR PERSONAL DATA PROCESSING 
5. Transfer of personal data 
5.1. Transfer of Personal Data within the Country 
5.2. Transfer of Personal Data Abroad 
5.3. Third Parties to Whom  Personal Data Can Be Transferred 
6. CONDITIONS WHERE EXPILICIT CONSENT IS NOT SEEKED IN THE PROCESSING OF PERSONAL DATA 
7. LIABILITIES IN THE PROTECTION AND PROCESSING OF PERSONAL DATA 
7.1. Obligation to Register with the Data Controllers Registry 
7.2. Obligation to Inform Data Subject 
7.3. Obligation to respond to the requests of the Data Subject 
7.4. Obligation to Ensure the Security of Personal Data 
8. REQUEST 
9. RIGHT TO COMPLAINT 
10 RESPECT TO POLICY 
11. PUBLICATION AND ENFORCEMENT OF THE POLICY 

1. INTRODUCTION

This present Personal Data Protection and Processing Policy ("Policy") set the points regarding Personal Data Protection and Processing to be taken into account in practice by KRK Holding A.Ş. (“KRK Holding”, “the Company”) and other group companies within its structure. 

The policy is to ensure that the activities of KRK Holding, which has been carrying out with the care shown to the protection of personal data since its foundation, are carried out in accordance with the principles and rules stipulated in the Personal Data Protection Law ("Law") numbered 6698, especially in accordance with the principles of compliance with the law, honesty and transparency.

All kinds of technical and administrative measures are taken within the structure of KRK Holding in terms of the processing and protection of personal data in line with the principles set out in the Law and this Policy. In this context, necessary trainings are organized to provide awareness of employees. 
Necessary notifications and warnings are made to data subjects about relevant subject. 

2. CATEGORIZATION OF PERSONAL DATA 

2.1. PERSONAL DATA
Personal data” means any information relating to an identified or identifiable natural person. Protection of personal data only concerns the data of natural persons. The data belonging to our company that do not contain information about natural persons are excluded from personal data protection. Therefore, this Policy is not valid for other data belonging to KRK Holding.

2.2 SENSITIVE PERSONAL DATA
Sensitive personal data are data that, if learned, may cause discrimination or victimization of the relevant person. Sensitive personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be sensitive personal data.
KRK Holding and its group companies pay particular attention on processing and protection of sensitive personal data. When processing sensitive personal data, it is first determined whether the data processing conditions exist, and after ensuring that the legal compliance requirements are met, data processing activities are carried out. Sensitive personal datas are processed directly in cases required by the legislation in accordance with the measures stipulated by the Personal Data Protection Authority, and in other cases, processed with the explicit consent of the data subject.

3. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
KRK Holding and its group companies process personal data in accordance with the principles stated below and  follow closely the changes in legislation and other areas. 

3.1 Processing in accordance with the Law and Good Faith Rules
KRK Holding processes personal data in accordance with legality and fairness. In this context, personal data is processed by our company with limited information to the extent required by business activities. 

3.2 Ensuring that Personal Data is Accurate and Up-to-date when necessary 
KRK Holding has taken the necessary technical and administrative measures to ensure the accuracy and security of personal data during the processing. It ensures the correction of the data upon the request of the data subject or upon detection.

3.3.  Processing for specified, explicit and legitimate purposes
KRK Holding sets out the purposes for processing personal data in a specified and explicit way and processes it for legitimate purposes in connection with business activities.

3.4 Being relevant, limited and proportionate to the purposes for which they are processed 
KRK Holding processes personal data in connection with data processing conditions to the extent necessary for the realization of data processing purposes. 

3.5 Personal Data Storage for the period stipulated by Legal Regulations and During Commercial Requirements
KRK Holding abides by the period stipulated in the relevant legislation or required by the purpose of data processing. If such a period is determined, personal data is erased, destructed or anonymized in the event of the expiry of the period or the disappearance of the reasons for the processing of personal data.  

4. PURPOSES FOR PERSONAL DATA PROCESSING

The personal data processing purposes of KRK Holding and its group companies are stated below, as an example:
– Fulfilling the wage payment process for employees and arranging the mandatory notifications to be made to Public Institutions,
– Organizing training for employees,
– Creating employees personal files
– Execution of financial transactions,
– Carrying out marketing activities,
– Carrying out logistics activities,
– Execution of contract processes,
– Complying with the legislation,
– Fulfilling financial and accounting procedures,
– Preparation of documents for the performance of representation activities such as power of attorney, authorization certificate for employees,
– Contact with banks,
– Replying in writing to notifications from official authorities,
– Contact with legal or real persons with whom have commercial relations,
– Providing workplace safety,
– Fulfilling the obligations for subcontractor employees,
– Performing transactions regarding signed contracts,
– Performing legal obligations
– Tracking employee arrival times
– Fulfilling the obligations stipulated within the framework of Law No 6331,
– Keeping records in terms of legal disputes that may arise,
– Keeping internet access records in accordance with Law No 5651,
– Creating visitor records,
– Carrying out strategic planning activities,
Ensuring physical space security

5. TRANSFER OF PERSONAL DATA  

KRK Holding and its group companies can transfer personal data and sensitive personal data of data subjects to the third parties in the country in accordance with the law, by taking the necessary security measures in line with personal data processing purposes. Accordingly, we act in accordance with the personal data transfer conditions regulated in Article 8 of the Law. 

5.1 Transfer of Personal Data in Turkey
KRK Holding acts in accordance with the data processing conditions in data transfer activities carried out in country in accordance with Article 8 of the Law. For this reason, personal data are not transferred to third parties without the explicit consent of the data subject.  However, within the framework of the exceptions stipulated in the Law, if there is one of the situations where the explicit consent of the data subject is not sought, it is possible to transfer personal data to third parties in Turkey without the explicit consent of the data subject.

5.2 Transfer of Personal Data Abroad
KRK Holding and its group companies can transfer personal data and sensitive personal data of data subjects to the third parties abroad by taking the necessary security measures in line with personal data processing purposes. Our company can transfer personal data to foreign countries that have been declared to have adequate level of protection by the Personal Data Protection Board or in case of absence of adequate level of protection upon the existence of a commitment for adequate protection in writing by the data controllers in Turkey or in the relevant foreign country and authorisation of the Personal Data Protection Board.

5.3 Third Parties to Whom Personal Data Can Be Transferred
KRK Holding may transfer the personal data of data subjects to the categories of persons listed below, in accordance with Article 8 of the Law, within the framework of the principles stipulated in Article 3 of this Policy: 
– Third party companies in cooperation
– Official Authorities
– Banks
– Lawyers
– Workplace doctor
– Contracted Joint health and safety unit companies
– Company Shareholders
– Group companies

6. CONDITIONS WHERE EXPILICIT CONSENT OF DATA SUBJECT IS NOT SEEKED IN THE PROCESSING OF PERSONAL DATA

Even without the explicit consent of the personal data subject, if the following conditions are met; Personal data can be processed by taking the necessary administrative and technical measures by the company.
– In case the personal data processing activity is clearly stipulated in the laws, 
– In case the explicit consent of the data subject cannot be obtained due to the factual impossibility and personal data processing is mandatory, 
– The personal data processing activity is directly related to the draw-up or performance of a contract, 
– In case the personal data processing activity is required for the company to fulfill its legal obligation, 
– In case the personal data owner discloses his personal data, 
– In case data processing is mandatory for the establishment or protection of a right, 
-In case data processing is mandatory for the legitimate interest of our company

7. OBLIGATION CONCERNING PROTECTION AND PROCESSING OF PERSONAL DATA

7.1 Obligation to Register with the Data Controllers’ Registry System
KRK Holding and other companies within its structure will fulfill the obligation to register in the Data Controllers Registry Information System(Verbis), which is stipulated in the Law and the Regulation on the Data Controllers Registry, to be established by the Personal Data Protection Board, and will share the following information with the public: 
– Information relating to the identity and residential and business address of data controller, representative of data controller, as a contact person,
– The purposes for which the personal data will be processed,
– data categories
– The Recipients or groups of recipients to whom personal data may be transferred,
– The personal data which are envisaged to be transferred abroad
– Technical and administrative measures taken concerning the security of personal data 
– The maximum period required for the purpose for which personal data are processed.

7.2 Obligation to Inform the Data Subject
Pursuant to Article 10 of the Law, when personal data is obtained, the data controller is obliged to inform the data subjects about the following:
– the identity of the data controller
– the purpose of processing of personal data
– to whom and for which purposes the processed personal data 
– the method and legal basis of collection of personal data
– other rights  of data subject

7.3 Obligation to respond to the requests of the Data Subject
Pursuant to Article 11 of the Law, the data subject shall make the requests for information about his/her own personal data to the data controller in writing or by other means to be determined by the Personal Data Protection Board.
In this context, data subjects have the right to make request for the following;
– to learn whether his/her personal data are processed or not,
– If personal data has been processed, to demand information regarding this,
– to learn the purpose processing of his/her data and whether these personal data are used in compliance with the purpose,
– to know the third parties to whom personal data is transferred in country or abroad,
– demand rectification in case of incomplete or inaccurate personal data  and to request notifying, about the rectification process ,the third persons to whom personal data are disclosed, 
– objection to this situation in the event of a result against the data subject by analyzing the processed personal data, 
– to claim compensation for the damage arising from the unlawful processing of his/her personal data.

7.4 Obligation concerning data security
KRK Holding and its group companies, pursuant to Article 12 of the Law, are obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of preventing unlawful processing of personal data, preventing unlawful access to personal data and ensuring protection of personal data in accordance with the law.

8. RIGHT TO MAKE A REQUEST

If a data subject makes a request, regarding the above-listed rights, to our address ‘’ Gayrettepe Mah. Gönenoğlu Sk. No:7 34349 Beşiktaş İstanbul / Türkiye’’ in writing with an original signed document or by other means specified in the legislation, our Company shall conclude her/his request at the latest within thirty (30) days. 

9. RIGHT TO  LODGE A COMPLAINT WITH THE BOARD
The data subject must be informed that she/ he has a right to make a complaint with the Personal Data Protection Board within 30 days if his/her request is refused, the response of the data controller is found insufficient or the request is not answered by the controller in good time.

10. COMPLIANCE WITH POLICY

– Systems for  erasure, destruction and anonymization of personal data are updated. 
– Necessary security systems have been established for the protection of personal data. The system is kept up to date. 
– Data subjects are informed during the acquisition of the data, necessary information is provided upon request. 
– While creating policies for the protection and processing of personal data, the regulations stipulated in the Law and the relevant legislation are followed. 

11. PUBLICATION AND ENTRY INTO FORCE 

The Policy, which was arranged and entered into force by KRK Holding, is published on our website (www.krkholding.com) and made available to the relevant persons upon request. The policy is controlled and updated regularly if necessary, taking into account the latest developments in the legislation.