GÜBRETAŞ MADEN YATIRIMLARI A.Ş. GENERAL POLICY REGARDING PERSONAL DATA PROCESSING AND PROTECTION

 

1. INTRODUCTION

It is essential for Gübretaş Maden Yatırımları A.Ş. (“Company”); to provide that personal data pertains to the Company shareholders, board members, employees, employment and internship applicants, firms having employment/service relationship and representatives such firms, subcontractors, visitors of the facilities of the Company and personal data that has processed by the Company in accordance with the relevant legislation in particular with the Law No. 6698 on the Protection of Personal Data (“Law on PoPD”) and to ensure that the persons whose personal data has processed (“Related Person”) are effectively exercising their legal rights.

The Company, exercises all of its actions with respect to processing, obtaining, recording, storing, copying, back-up, preserving, changing, rearranging, disclosing, transferring, taking over, making accessible, obtaining statistical reports, categorizing or preventing the use of personal data that is obtained during its activities or in the line of its activities pursuant to the Company-General Policy Regarding Protection and Processing Transaction of Personal (“Policy”).

This Policy text was prepared in Turkish and English languages, and in case of any contradiction between the two versions the Turkish version shall prevail.

Under Law on PoPD, the personal data means any kind of information related to a certain or identifiable real person and sensitive personal data which is a special type of the personal data means any data about type of race, ethnicity, origin, political opinion, philosophical belief, religion, sect or other beliefs, on disguise and clothing, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

 

Gübretaş Maden Yatırımları A.Ş. (“Şirket”); Şirket hissedarları, yönetim kurulu üyeleri, personeli, iş ve staj başvurusunda bulunan adaylar, iş/hizmet ilişkisinde bulunduğu firmalar ve bu firmaların temsilcileri, taşeron firmalar, Şirket tesisleri ziyaretçileri ve Şirket tarafından işlenen kişisel verilerin, 6698 sayılı Kişisel Verilerin Korunması Kanunu (“KVKK”) başta olmak üzere ilgili mevzuata uygun olarak işlenmesini ve kişisel verisi işlenen kişilerin (“İlgili Kişi”) yasal haklarını etkin şekilde kullanmasını sağlamaya önem vermektedir.

2. PROCEDURE FOR PERSONAL DATA PROCESSING-PROTECTION APPLIED BY THE COMPANY

 

i.       General Policy
According to the general policy in the matter of personal data processing-protection, the Company;
–  Only requests required information in line with a legal obligation, a processing condition, and/or a specific purpose pursuant to the relevant legislation from the Related Persons,
–  Informs the Related Persons about which data is requested for which purpose, in what manner, for which purpose and until when such data will be stored (including keeping and recording through documents created in software systems and other software and servers), to whom such data may be transferred, that such data may be shared with the Company’s shareholders, affiliates, subsidiaries and other group companies (“Group Companies”) and third parties (including but not limited to server, hosting, program, cloud information systems), and in the matter of the rights of the Related Persons.
–  Requests express consent of the Related Person in case of express consent is required for personal data processing, does not in any way make the consent obligatory by making it a prerequisite, for execution of a transaction/a service.
–  Processes and protects all personal data obtained in accordance with the relevant legislation; takes the administrative and technical measures determined by the Personal Data Protection Committee for the privacy of such data.
– In the first instance raises the awareness of its employees about the personal data that it is processing; limits its employees’ access to personal data to the extent as required by their duties and adds undertakings regarding the personal data protection to their employment agreements. In addition, it enters into agreement with third parties and institutions which it transfers personal data to ensure the method and privacy of personal data processing.
–  Keeps the personal data that it obtained only for the terms specified in the law or during the period in which such data should be stored/recorded in any way; deletes, destroys or anonymizes all personal data that are not required to be used in accordance with the relevant legislation.
–  Also inform the Related Persons to exercise their legal rights regarding their personal data that is being processed.
ii.      Fundamental Principles
The Company, shows sensitivity to the fact that all the personal data that is being processed;
a.      complies with the law and principles of good faith,
b.      is accurate and up-to-date when necessary,
c.      is processed for certain, clear and legitimate purposes,
d.      is in relation with, limited to and moderate with the processing purposes,
e.    is preserved for the term that is set forth under relevant legislation or that is required for the purpose for which they are processed
and takes the administrative and technical measures that are necessary for the personal data processing in accordance with these principles.
iii.     Measures for Personal Data Protection
The necessary and adequate administrative and technical measures are taken by the Company and awareness is created for the Company employees in this respect.
iv.      Application Right of Related Persons
Within the scope of its obligation of disclosure, the Company, informs the Related Persons whose personal data is being processed in respect of their rights under Article 11 of Law on PoPD. The Related Persons can address their following rights to the Company at any time:
–  Learn whether their personal data has been processed or not,
–  Request information as to processing if their personal data has been processed,
–  Learn the purpose of processing their personal data and whether their personal data is used in accordance with their purposes,
–  Learn the purpose of processing their personal data and whether their personal data is used in accordance with their purposes,
–   Request rectification in case their personal data are incompletely or inaccurately processed,
–  Request deletion, destruction or anonymizing of their personal data on the ground that the reasons necessitating their processing cease to exist
–  In case their personal data was deleted or destroyed or anonymized, request notification of the operations made to third parties to whom their personal data has been transferred;
–  Object to occurrence of any unfavorable result by means of analysis of their personal data exclusively through automated systems;
–  In case their personal data has been unlawfully processed and a damage occurs due to such unlawful process, request compensation for the damages
Within this context, the Related Persons can submit their requests related to the above-mentioned rights through methods indicated by the Personal Data Protection Committee within the context of the Law on PoPD and the relevant legislation and in line with the legislative regulations, by fulfilling the conditions set forth by the Personal Data Protection Committee, to the Company. Before applying, the updated application methods and context should be checked from the legislation.
These requests shall be concluded as soon as possible considering the nature of the request and in any event within 30 (thirty) days at the latest free of charge or for the fee in the tariff in case the conditions set forth under the tariff to be published by the Personal Data Protection Committee are met.
The Company reserves the right to request additional information and documents during application or during application evaluation when required.
The Company accepts or rejects the request by explaining the grounds and informs the Related Person in writing or electronically. If the request in the application is accepted, it is fulfilled by the Company. In case the application is aroused from the fault of the Company, the fee collected is refunded to the Related Person.