1. Introduction

1.1. Purpose of the Policy

Within the scope of the Law No. 6698 on the Protection of Personal Data (“Law”) Ramsoy Construction Insulation Chemical Substance San. ve Tic. Ltd. Sti. (“Company” and “Company”), processing and protecting personal data in accordance with the law is among our top priorities. We follow the same priority in all our planning and business activities. In this context, to enlighten you in accordance with Article 10 of the Law; We present this Personal Data Processing and Protection Policy (“Policy”) to your information in order to inform all the administrative and technical measures we will implement within the scope of the processing and protection of personal data.

1.2 Scope

This Policy determines the processing conditions of personal data and sets out the principles adopted by the Company in the processing of personal data. In this context, the Policy; It covers all personal data processing activities carried out by the company within the scope of the Law, all personal data processed and the owners of this data.

1.3 Definitions

Open Consent Consent on a particular subject, based on information and expressed with free will.
Anonymization Making the data previously associated with a person incapable of being associated with an identified or identifiable natural person in any way, even by matching them with other data.
Employee Candidate Real persons who do not work within the company but are in the status of employee candidate.
Personal Data Any information relating to an identified or identifiable natural person.
Data Owner The natural person whose personal data is processed.
Processing of Personal Data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.
Law Law on Protection of Personal Data No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677.
Special Qualified Personal Data Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Policy Personal Data Processing and Protection Policy
Company/Company Ramsoy Construction Insulation Chemical Substance San. ve Tic. Ltd. Sti.
Data Processor It is the natural and legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Controller It is the person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically.
Data Recording System It is a recording system in which personal data is processed and structured according to certain criteria.
Work partners Persons with whom the Firm has partnered within the scope of contractual relations within the framework of its commercial activities.

 

1.4 Enforcement of the Policy

This Policy, prepared by the company, entered into force on 31.03.2021 and was presented to the public. In case of conflict with the legislation in force, especially the Law, and the regulations included in this Policy, the provisions of the legislation shall apply.

The company reserves the right to make changes in the Policy in line with the legal regulations. You can access the current version of the Policy on the website of the Company (https://ramsoy.com.tr/).

2. Information on Personal Data Processing Activities Conducted by the Company

2.1 Data Subjects

Data subjects within the scope of the policy are all natural persons, other than Company employees, whose personal data are processed by the Company. In general, data owners can be listed as follows:

customers It refers to the real persons who benefit from the products and services offered by the Company.
Potential Customers It refers to real persons who are interested in the products and services offered by the Company and have the potential to turn into customers.
Employee Candidates It refers to real persons who apply for a job by sending a CV to the company or by other methods.
visitors It refers to the people who come to visit the company for any reason.
Third Parties It refers to natural persons excluding the data owner categories mentioned above and Company employees.

The categories of data subjects described in the table above are specified for general information sharing purposes. The fact that the data owner does not fall under any of these categories does not remove the data owner's qualification as specified in the Law.

2.2 Purposes of Processing Personal Data

2.2.1 Carrying out the necessary work by the relevant units and carrying out the business processes in order to benefit the persons concerned from the products and services offered by the Company:

1. Planning and executing the sales processes of products and/or services,

2. Planning and/or execution of after-sales support services activities,

3. Planning and execution of customer relationship management processes,

4. Follow-up of contract processes and/or legal requests,

5. Follow-up of customer demands and/or complaints.

2.2.2 Planning and executing firm human resources policies and processes:

1. Planning and execution of talent-career development activities,

2. Fulfillment of obligations arising from employment contracts and/or legislation for company employees,

3. Planning and executing fringe benefits and benefits for employees,

4. Planning and execution of in-house orientation activities,

5. Planning and execution of personnel exit procedures,

6. Fee management

7. Planning of human resources processes,

8. Managing the personnel procurement processes,

9. Planning and executing appointment-promotion and dismissal processes for the company,

10. Planning and executing the performance evaluation processes of the employees,

11. Monitoring and/or supervision of the work activities of the employees,

12. Planning and/or execution of in-company training activities,

13. Planning and execution of employee satisfaction and/or loyalty processes,

14. Planning and executing the processes of receiving and evaluating suggestions for the improvement of the work and/or production processes of the employees,

15. Planning and/or execution of intern and/or student recruitment, placement and operation processes.

2.2.3 For the realization of the commercial activities carried out by the company, the necessary work is carried out by the relevant business units and the related business processes are carried out:

1. Event management,

2. Planning and execution of business activities,

3. Planning and execution of corporate communication activities,

4. Planning and execution of supply chain management processes,

5. Planning and execution of production and/or operation processes,

6. Planning, auditing and execution of information security processes,

7. Creation and management of information technology infrastructure,

8. Planning and executing information access authorizations of business partners,

9. Follow-up of finance and/or accounting works,

10. Planning and execution of corporate sustainability activities,

11. Planning and execution of corporate governance activities,

12. Planning and/or execution of business continuity activities,

13. Planning and execution of logistics activities.

2.2.4 Planning and executing the activities necessary to recommend and promote the products and services offered by the company to the relevant persons by customizing them according to their tastes, usage habits and needs:

1. Identification and/or evaluation of the persons to be subject to marketing activities in line with consumer behavior criteria,

2. Designing and/or performing personalized marketing and/or promotional activities,

3. Designing and/or executing advertising and/or promotion and/or marketing activities in digital and/or other media,

4. Designing and/or executing activities to be developed on customer acquisition and/or value creation in existing customers in digital and/or other channels,

5. Planning and/or executing data analytics studies for marketing purposes,

6. Planning and executing the marketing processes of products and/or services,

7. Planning and/or executing the processes of establishing and/or increasing loyalty to the products and/or services offered by the company.

2.2.5 Planning and executing the Firm's commercial and/or business strategies:
Managing relations with business partners.

2.2.6 Ensuring the legal, technical and commercial occupational safety of the Company and the persons who have a business relationship with the Company:

1. Follow-up of legal affairs

2. Planning and executing the necessary operational activities to ensure that the company's activities are carried out in accordance with company procedures and/or relevant legislation,

3. Giving information to the authorized institutions based on the legislation,

4. Creation and follow-up of visitor records,

5. Planning and execution of emergency management processes,

6. Realization of company and partnership law transactions,

7. Planning and executing company audit activities,

8. Planning and/or execution of occupational health and/or safety processes,

9. Carrying out risk management of credit processes,

10. Ensuring the security of company premises and/or facilities,

11. Ensuring the security of company operations,

12. Planning and/or execution of the company's financial risk processes,

13. Ensuring the security of company fixtures and/or resources.

2.3 Categories of Personal Data

Personal data categorized as follows by the company are processed in accordance with the personal data processing conditions in the Law and relevant legislation:

Data Category explanation
credential Information contained in documents such as driver's license, identity card, residence, passport, attorney's ID, marriage certificate.
Communication information Information used to contact the person (eg e-mail address, phone number, mobile phone number, address).
Location information Information that serves to identify the location of the data subject (eg location information obtained while driving).
Customer information Information about customers who benefit from our products and services (eg customer number, occupation information, etc.).
Customer transaction information Information on any transaction performed by customers using our products and services.
Physical location security information Personal data regarding records and documents such as camera records, fingerprint records taken during the entrance to the physical space and during the stay in the physical space.
Transaction security information Personal data processed to provide technical, administrative, legal and commercial security while carrying out the commercial activities of the Firm.
financial information Personal data processed for information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Company with the personal data owner.
Employee candidate information Personal data processed regarding individuals who have applied to be an employee of the Company or who have been evaluated as an employee candidate in line with human resources needs in accordance with commercial practices and honesty rules, or who have a working relationship with the Company.
Legal action and compliance information Personal data processed within the scope of determination of the legal receivables and rights of the company, follow-up and performance of its debts, legal obligations and compliance with the company's policies.
Audit and inspection information Personal data processed within the scope of the Company's compliance with its legal obligations and company policies.
Special quality data Data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data of individuals.
Marketing information Personal data processed for the marketing of the products and services offered by the Company in line with the usage habits, tastes and needs of the personal data owner, and the reports and evaluations created as a result of these processing results.
Request/complaint management information Personal data regarding the receipt and evaluation of all kinds of requests or complaints directed to the Company.
Reputation management knowledge Information collected for the purpose of protecting the company's commercial reputation, evaluation reports prepared for this and information about the actions taken.
Incident management information Personal data processed in order to take the necessary legal, technical and administrative measures against the developing events in order to protect the commercial rights and interests of the Company and the rights and interests of its customers.

 3. Principles and Conditions Regarding the Processing of Personal Data

Regarding the processing of personal data in accordance with Article 4 of the Law; engages in the processing of personal data in a limited and measured manner in accordance with the law and the rules of honesty, accurately and, when necessary, for up-to-date, specific, clear and legitimate purposes. The company retains personal data for as long as required by law or for the purpose of processing personal data.

3.1 Principles Regarding the Processing of Personal Data

The company is to enlighten the data owners in accordance with Article 10 of the KVK Law, and in cases where consent is required, the company processes this personal data on the basis of the principles set forth below, by requesting their consent.

3.1.1 Processing of Data in Compliance with the Law and the Rule of Integrity

The company acts in accordance with the principles brought by legal regulations and the general rule of trust and honesty in the processing of personal data. In accordance with the principle of being in compliance with the rule of integrity, the Company takes into account the interests and reasonable expectations of the data subjects while trying to achieve its goals in data processing.

3.1.2 Ensuring Personal Data Are Accurate and Up-to-Date When Necessary

Keeping personal data accurate and up-to-date is necessary for the Company to protect the fundamental rights and freedoms of the person concerned. The Company has an active duty of care to ensure that personal data is accurate and up-to-date when necessary. For this reason, all communication channels are open for the Company to keep the information of the data owner accurate and up-to-date.

3.1.3 Processing of Data for Specific, Explicit and Legitimate Purposes

The company clearly and precisely determines the purpose of processing personal data, which is legitimate and lawful. It processes personal data in connection with the commercial activity it carries out and as necessary for these.

3.1.4 Relevance, Limitation and Proportion of Data to the Purpose for which they are Processed

Company; processes personal data within the scope of the purposes related to its field of activity and necessary for the conduct of its business. For this reason, it processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed.

3.1.5 Retention of the Data as Envisioned in the Relevant Legislation or Required for the Purpose of Processing

The company retains personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context; first of all, it determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if a period is not determined, it stores the personal data for the period required for the purpose for which they are processed. Personal data is deleted, destroyed or anonymized by the Company after the disappearance of the purpose of personal data processing or the expiry of the period stipulated in the legislation.

3.2 Conditions Regarding the Processing of Personal Data

In case of existence of at least one of the personal data processing conditions in Article 5 of the Law, your personal data is processed by the Company.

3.2.1 Explicit consent of the personal data owner

One of the conditions for the processing of personal data is the explicit consent of the owner. The explicit consent of the personal data owner should be disclosed on a specific subject, based on information and free will.

In order to process personal data based on the explicit consent of the personal data owner, explicit consent is obtained from customers, potential customers and visitors through relevant methods.

3.2.2 Explicitly foreseeing personal data processing activities in laws

The personal data of the data owner can be processed in accordance with the law without the explicit consent of the data owner, if it is expressly stipulated in the law.

3.2.3 Failure to obtain the explicit consent of the person due to actual impossibility

The personal data of the data owner can be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility or whose consent will not be valid, in order to protect the life or physical integrity of himself or another person.

3.2.4 Personal data is directly related to the conclusion or performance of a contract

Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process the personal data of the parties to the contract.

3.2.5 The company's fulfillment of its legal obligation

In case the processing is necessary for the Company to fulfill its legal obligations as a data controller, the personal data of the data subject can be processed.

3.2.6 Making the personal data of the data subject public

If the data owner has made his personal data public by himself, the relevant personal data may be processed.

3.2.7 Data processing is mandatory for the establishment or protection of a right

If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.

3.2.8 Data processing is mandatory for the legitimate interest of the Company

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of the Company.

3.3 Processing of Private Personal Data

The company strictly complies with the regulations stipulated in the KVK Law in the processing of personal data determined as "special quality" by the KVK Law.

By the company; Special categories of personal data are processed in the following cases, provided that adequate measures to be determined by the KVK Board are taken:

If the personal data owner has express consent, or

· If the personal data owner does not have express consent;

Special categories of personal data other than the health and sexual life of the personal data owner, in cases stipulated by the laws,

Special categories of personal data relating to the health and sexual life of the personal data owner, only for the purposes of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, or persons or authorized institutions under the obligation of confidentiality. processed by organizations.

4. Transfer of Personal Data

The company can transfer the personal data and sensitive personal data of the data owner to third parties in the country or abroad by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. Accordingly, the company acts in accordance with the regulations stipulated in Article 8 of the KVK Law.

4.1 Transfer of personal data to third parties in the country

Your personal data can be transferred by the Company in the presence of at least one of the data processing conditions stated in Articles 5 and 6 of the Law and explained under Title 3 of this Policy, provided that it complies with the basic principles regarding data processing conditions.

4.2 Transfer of personal data to third parties abroad

The company can transfer the personal data and sensitive personal data of the personal data owner to third parties abroad, in the presence of at least one of the data processing conditions explained under Title 3 of this Policy and by taking the necessary security measures. Personal data by the company; To foreign countries declared to have adequate protection by the KVK Board (“Foreign Country with Sufficient Protection”) or to foreign countries where the data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection and where the permission of the KVK Board is granted in case of insufficient protection. (“Foreign Country of Data Controller Undertaking Adequate Protection”) is transferred. Accordingly, the company acts in accordance with the regulations stipulated in Article 9 of the KVK Law.

4.3 Third parties to whom personal data are transferred and the purposes for which they are transferred

In accordance with the general principles of the law and the data processing conditions in Articles 8 and 9, the Firm can transfer data to the parties categorized in the table below:

Persons to whom Data Transfer can be made Definition Aim
Business partner Parties with whom the Firm has established business partnerships while carrying out its commercial activities Limited sharing of personal data in order to ensure the fulfillment of the purposes of the establishment of the business partnership
Shareholders Shareholders who are authorized to design strategies and audit activities of the Firm in accordance with the provisions of the relevant legislation Sharing personal data limited to the design of strategies regarding the Company's commercial activities and audit purposes
Company officials Members of the board of directors and other authorized persons Sharing personal data limited to designing strategies for the company's commercial activities, ensuring the highest level of management and auditing purposes
Legally Authorized Public Institutions and Organizations Public institutions and organizations that are legally authorized to receive information and documents from the Firm Limited personal data sharing for the purpose of requesting information by relevant public institutions and organizations
Legally Authorized Private Law Persons Private law persons who are legally authorized to receive information and documents from the Firm Sharing of data limited to the purpose requested by the relevant private legal persons within the legal authority

 

5. Data Subject's Rights and Exercise of Related Rights

5.1 Rights of the personal data owner:

1. Learning whether personal data is processed or not,

2. Requesting information on personal data if it has been processed,

3. To learn the purpose of processing personal data and whether they are used in accordance with the purpose,

4. Knowing the third parties to whom personal data is transferred in the country or abroad,

5. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,

6. To request the deletion or destruction of personal data in the event that the reasons requiring its processing have disappeared, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and to request the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,

7. Objecting to this result in case a result against the person arises by analyzing the processed data exclusively through automated systems,

8. To request the compensation of the damage in case of loss due to unlawful processing of personal data.

In case the personal data is not obtained directly from the data owner; By the company (1) within a reasonable period of time after the personal data is obtained, (2) during the first communication in case the personal data will be used for communication with the data owner, (3) in the case of the personal data to be transferred, at the latest, the personal data will be used for the first time. Activities regarding the disclosure of data owners are carried out at the time of transfer.

5.2 Cases where the personal data owner cannot assert his rights:

Personal data owners cannot claim their rights listed in 5.1 in these matters, since the following cases are excluded from the scope of KVK Law in accordance with Article 28 of the KVK Law:

1. Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with,

2. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,

3. Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime,

4. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,

5. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

28.2 of the KVK Law. pursuant to the article; In the cases listed below, personal data owners cannot claim their other rights listed in 5.1, except for the right to demand the compensation of the damage:

1. Personal data processing is necessary for the prevention of crime or for criminal investigation,

2. Processing of personal data made public by the personal data owner himself,

3. The processing of personal data is necessary for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law,

4. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

6. Deletion, Destruction, Anonymization of Personal Data

Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law, personal data is deleted or destroyed upon the decision of the Company or upon the request of the personal data owner, in case the reasons requiring processing are eliminated. or anonymized. In this context, the Company takes the necessary technical and administrative measures within the Company in order to fulfill its related obligation; has developed the necessary working mechanisms in this regard; trains, assigns and raises awareness of the relevant business units in order to comply with these obligations.