“Let what you eat be your medicine and let your medicine be what you eat” – Hipokrat

PERSONAL DATA PROTECTION POLICY

CNG CENGİZ SUPPLY FOREIGN TRADE LIMITED COMPANY

PERSONAL DATA PROTECTION POLICY

 Effective Date: 25.06.2020

This Personal Data Protection Policy includes our policies regarding the personal data that our company, CNG Cengiz Tedarik Dış Ticaret Limited Şirketi, which is the data supervisor, processes while providing services.

 

CONTENTS

  1. ABBREVIATIONS USED IN OUR POLICY 3
  2. PURPOSE OF OUR POLICY 4
  3. RANGE OF OUR POLICY 4
  4. IMPLEMENTATION OF OUR POLICY 4
  5. ASPECTS REGARDING THE PROTECTION OF PERSONAL DATA 4
  6. PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA 5
  7. PERSONAL DATA PROCESSING POLICY 5

 

7.1. Processed Personal Data 5

7.2. Principles to be Followed Regarding the Processing of Personal Data 6

7.2 Purposes of Our Company for Processing Personal Data 6

7.2.1 Terms; 6

7.2.2 Purposes; 7

  1. TRANSFERRING PERSONAL DATA 8

8.1 Domestic Transfer of Personal Data 8

8.2 Transfer of Personal Data Abroad 9

8.3 Institutions and Organizations Personal Data is Transferred to 9

  1. BUILDING ENTRANCES AND PERSONAL DATA PROCESSING ACTIVITIES IN THE BUILDING AND WEBSITE VISITORS 9
  2. RIGHTS OF THE PERSON WHOSE PERSONAL INFORMATION IS PROCESSED BY THE COMPANY 10
  3. STORAGE OF PERSONAL DATA 10
  4. TECHNICAL AND ADMINISTRATIVE MEASURES TO KEEP PERSONAL DATA 11
  5. DELETING, DESTRUCTION AND ANONYMIZATION, DISPOSAL OF PERSONAL DATA 11
  6. USE OF THE PERSONAL DATA OWNER’S RIGHTS 12
  7. CIRCUMSTANCES WHERE THE PERSONAL DATA OWNER CANNOT ASSERT HIS RIGHTS 13
  8. OTHER MATTERS 13
  9. KVKK (Personal Data Protection Law) DATA OWNER INFORMATION APPLICATION FORM

 

 


  • ABBREVIATIONS USED IN OUR POLICY

KVKK: Law on Protection of Personal Data No. 6698 published in the Official Gazette 29677 dated 7 April 2016 and relevant legislation

GDPR: EU (European Union) General Data Protection Regulation

Constitution: The Constitution of the Republic of Turkey number 2709, dated 7 November 1982, published in the Official Gazette number 17863 dated 9 November 1982.

Data Processor: The person who is responsible for the technical storage, protection and backup of the data or the person who processes personal data on behalf of the Data Controller within the organization of the Data Controller or in line with the authorization and instruction received from the Data Controller, excluding the unit.

Data Owner/Relevant Person/Related Persons: Employees, customers, business partners, shareholders, officials, potential customers, candidate employees, interns, visitors, suppliers, collaborators, with whom the Company and/or its affiliates/subsidiaries have commercial relations, as well as natural persons whose personal data is processed, such as employees of institutions, third parties and other persons, including but not limited to those listed here.

Data Controller: natural or legal person who determines purposes and means of processing personal data, and is responsible for data recording system establishment and management.

Explicit Consent: Consent about a specific subject, based on information and expressed with free will.

Destruction: Deletion, destruction or anonymization of personal data.

Recording Media: Any environment where personal data is processed wholly or partially automatically or non-automatically, provided that it is a part of any data recording system.

Personal Data: Any information relating to an identified or identifiable natural person.

Special Categories of Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric data and genetic data.

Processing of Personal Data: All kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, as well as classification or prevention of use.

Anonymization of Personal Data: Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Deletion of Personal Data: Deletion of personal data; Making personal data inaccessible and unusable in any way for the relevant users.

Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

Periodic Destruction: The process of deletion, destruction or anonymization to be carried out ex officio at recurring intervals in case of elimination of all conditions for processing personal data in the law.

Regulation on the Deletion, Destruction or Anonymization of Personal Data: Regulation on the Deletion, Destruction or Anonymization of Personal Data, which was published in the Official Gazette number 30224  dated 28 October 2017 and entered into force on 1 January 2018.

Personal Data Protection Board / Board: Personal Data Protection Board

Personal Data Protection Authority: Personal Data Protection Authority

Company: CNG CENGİZ SUPPLY FOREIGN TRADE LIMITED COMPANY

 

  • PURPOSE OF OUR POLICY

The purpose of this document is to regulate the methods and principles to be followed by our company in order to ensure that personal data is processed and protected in accordance with the Law on the Protection of Personal Data (KVKK) published in the Official Gazette number 29677 dated 7 April 2016. In this context transparency is ensured by informing the people whose personal data are processed by our company, especially our employees, employee candidates, our customers, potential customers, suppliers, business partners, company shareholders and officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties.

  • RANGE OF OUR POLICY

This Policy document is implemented in the activities carried out for the processing and protection of all personal data managed by our Company and is applicable to our employees, employee candidates, customers, potential customers, suppliers, business partners, company shareholders, company officials, visitors, employees, shareholders and cooperating institutions as well as third parties. It relates to all personal data of officials, whose personal data are processed automatically by our company or by non-automatic means, provided that it is part of any data recording system.

 

  • IMPLEMENTATION OF OUR POLICY

During the processing and protection of personal data the provisions of the relevant legislation in force will be applied in first priority. In case of conflict between the provisions of the legislation and the provisions of the policy, our Company accepts that the provisions of the current legislation will be valid.

 

According to Article 12 of the Personal Data Protection Law, as a data controller, all necessary technical and administrative measures are taken to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, to ensure storing of personal data, and to ensure the appropriate level of security.

 

  • ASPECTS REGARDING THE PROTECTION OF PERSONAL DATA

Our company performs a risk analysis that determines what personal data is, what risks may arise regarding the protection of this data, and to prevent the illegal processing of personal data in accordance with Article 12 of the Personal Data Protection Law, to prevent unlawful access to personal data, and takes the necessary technical and administrative measures to ensure the appropriate level of security to ensure the protection of personal data. The main measures taken are listed below.

  • All activities carried out by our company were analyzed in detail for all business units, and as a result of this analysis, a process-based personal data processing inventory was prepared. The risky areas in this inventory are identified and the necessary legal and technical measures are constantly checked.
  • Personal data processing activities carried out by our company are audited by information security systems, technical systems and legal methods. Our company has determined provisions regarding confidentiality and data security in the employment contracts signed during the recruitment processes of the employees and requests the employees to comply with these provisions.
  • Employees are regularly informed and trained about personal data protection law and taking necessary measures in accordance with this law. The roles and responsibilities of the employees were reviewed within this scope and their job descriptions were revised
  • Personal data processing carried out by our Company and its subcontractors; In order to ensure that this processing complies with the personal data processing conditions stated by the KVKK, the issues that must be complied with are executed. The text of the information security commitment to the contracts concluded with these persons has been added and signed.
  • The contracts concluded by the Company were examined in terms of Personal Data Protection Law and necessary changes were made. The text of the information security commitment to the contracts concluded with these persons has been added and mutually signed.
  • Appropriate technical measures are taken in accordance with technological developments, the measures taken are periodically checked, updated and renewed.
  • Access authorizations are limited and authorizations are checked up regularly. The authorities of the employees who change job or quit are limited in this area.
  • The technical measures taken are regularly reported to the authorized person, the risk factors are reviewed and efforts are made to produce the necessary technological solutions.
  • Software and hardware including virus protection systems and firewalls are installed.
  • Backup programs are used to ensure that personal data is kept securely.
  • Security systems for storage areas are used, the technical measures taken are periodically reported to the relevant person in accordance with internal controls, the risky issues are reevaluated and necessary technological solutions are produced.

 

  • Files/printouts stored in the physical environment are stored in physically locked or secured areas and are destroyed in accordance with the procedures determined after the expiry of the storage period.
  • Data that has expired is destroyed.
  • Data masking is performed when necessary.
  • The Company’s systems are being brought into compliance with the EU General Data Protection Regulation (GDPR).
  • Crisis and reputation management was discussed in order to be precautious against any personal data security violation, and within this scope, the processes of informing the The Board of Protection of Personal Data and the relevant person were designed.
  • Clarification text and explicit consent texts were arranged, and consentingly signed by real persons whose personal data is processed by our company.
  • The technical and administrative measures suggested by the Authority were examined and necessary administrative and technical measures were taken to ensure the security of the personal data processed by our Company.

PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Our company carries out necessary activities to ensure the security of special categories of personal data and takes all kinds of technical and administrative measures in order to comply with legal requirements and adequate measures determined by the Board in order to ensure that these data are processed in accordance with the law.

 

  • PERSONAL DATA PROCESSING POLICY

Processed Personal Data

Within the scope of our Company’s Personal Data Protection Law and our legal obligations arising from the relevant legislation, some of your personal data such as name, surname, TCKN (Turkish Identification Number), date of birth, place of birth, your contact data such as address, e-mail address, telephone number, your data that should be in your personnel file such as occupation, education, residence address, vehicle license plate, visual records, biometric data, visitor registration, financial information, health information, location, clothing data, etc.) are processed in order to fulfill our activities and legal obligations. In order for our company to fulfill its activities and legal obligations, these personal data will be processed and stored by taking information security measures, provided that they are not used outside the scope and purposes determined by this Personal Data Protection Policy, based on the legal reason for processing or your express consent, in cases permitted by law.

  • Principles to be Followed Regarding the Processing of Personal Data

All personal data processed by our company are processed in accordance with KVKK (Law on Protection of Personal Data) and relevant legislation. The company, in accordance with Article 4 of the KVKK (Law on Protection of Personal Data) processes personal data in accordance with the rules of law and honesty, accurately and, when necessary, by pursuing current, specific, clear and legitimate purposes, in a limited and measured manner.

  • Processing in accordance with Law and Good Faith: The Company; acts in accordance with the principles introduced by legal regulations and the general rule of trust and good faith in the processing of personal data. In this context, the Company takes into account the proportionality requirements in the processing of personal data, and does not use personal data in other ways than as required for the purpose.
  • Providing accurate and Up-to-Date Personal Data: The Company ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests.
  • Processing for Specific, Explicit and Legitimate Purposes: The Company clearly and precisely determines the legitimate and lawful purpose of processing personal data. The Company processes personal data in connection with the products and services it offers and as much as is necessary for them. The purpose for which personal data will be processed by the Company is set forth before the personal data processing activity begins.
  • Being related to the Purpose for which they are Processed, Limited and Measured: The Company processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed.
  • Storage during the Time Estimated in the Related Legislation or Required For The Purpose of Processing: The Company retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, the Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if a period is not determined, it stores the personal data for the period required for the purpose for which they are processed. Personal data is deleted, destroyed or anonymized by the Company in the event that the period expires or the reasons for its processing disappear.
  • Purposes of Our Company for Processing Personal Data

Our company informs the persons concerned during obtaining personal data in accordance with Article 10 of the Law on the Protection of Personal Data. In this context, it clarifies the identity of the Company and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the legal reason, and the rights of the persons concerned under article 11 of the KVKK (Law on Protection of Personal Data).

Our company processes personal data limited to the following conditions in the personal data processing conditions specified in Articles 5 and 6 of the KVKK (Law on Protection of Personal Data) and in line with the following purposes.

  • Conditions;
  • It is clearly stipulated in the Laws for the Company to carry out relevant activities regarding the processing of personal data, excluding personal data related to health and sexual life,
  • The processing of personal data by the Company is directly related to and necessary for the conclusion or performance of a contract; Before the contract, personal information may be processed in order to prepare an offer, prepare a purchase form or meet the demands of the person concerned in connection with the conclusion of the contract. During the contract preparation process, the relevant persons can be contacted in consideration of the information they provide.

Example: Obtaining the name and contact information of the authorized person of the company singing the Agreement.

 

  • The processing of personal data is mandatory for the Company to fulfill its legal obligations; The processing of personal information is also free if the law requests, requires or allows these transactions. Data processing, in type and scope, must be necessary for the legally permitted data processing activity and must comply with the relevant legal provisions.

Example: Submission of information to the court requested by court order.

  • Provided that personal data has been made public; for the purpose of publicizing processing it by the Company in a limited manner,

Example: The phone data of the person, who shared it in a website to show that he/she wants to buy the product, can be prosessed without his/her consent, limited to this scope. In this context, persons who wants to sell the car with the relevant feature will be able to reach the relevant person without the need for any consent.

  • Establishment of the rights, usage of personal data or protection is mandotary for people/3rd parties whose data prosessed by the Company,

Example: Storing the evidential data (sales contract, invoice) and using them when necessary.

  • It is obligatory to process personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the persons whose data are processed; Personal data may also be processed in cases where the Company has a legitimate interest.

Legitimate interests are those that comply with law, morality, and good manners, as well as material interests.

Taking advantage of storage, hosting, maintenance and support services for the purpose of collecting receivables, avoiding breaches of contract and legal obligations, providing technical and security IT services are examples of situations where the Company has legitimate interests in processing personal data. Provided that the Company does not harm the fundamental rights and freedoms of its employees, the Company may process the personal data of its employees to be used as a basis in the arrangement of their promotions, salary increases or social rights, or in the distribution of duties and roles in the restructuring of the enterprise. The basic principles regarding the protection of personal data will be followed and the balance of interests of the data controller and the person concerned will be observed.

  • The personal data processing activity for the company is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to express his consent due to actual impossibility or legal invalidity,

Example: Giving the blood type information of the fainted customer to the doctors by his friends.

  • Special categories of personal data other than the health and sexual life of the personal data owner, in cases stipulated by the laws:

Example: Within the scope of processing by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of protecting public health, preventive medicine, medical diagnosis, carrying out treatment and care services, planning and management of health services and financing.

In the absence of the above-mentioned conditions; In order to carry out personal data processing activities, the Company seeks the express consent of personal data owners on its own or through its customers.

  • Objectives;

Our company operates personal data just in case but not limited: Ensuring the legal, technical and commercial-occupational security of the Company and the persons who have a business relationship with the Company; To carry out the necessary work by our relevant business units for the realization of commercial activities carried out by the Company and to carry out the related business processes; Planning and execution of the Company’s commercial and/or business strategies; Planning and execution of the Company’s human resources policies and processes, etc.

  • Determining and implementing company strategies and ensuring the execution of our company’s human resources policies,
  • In line with the purpose of ensuring the execution of the company’s human resources policies; Recruitment of suitable personnel for open positions in accordance with company human resources policies, execution of human resources operations in accordance with company human resources policies, fulfillment of obligations within the framework of Occupational Health and Safety and taking necessary measures,
  • In line with the purpose of fulfilling the services provided by the company by the relevant business units; Independent audit, accounting services and consultancy etc. carried out by the company or outsource, performance of services,
  • Administrative operations, auditor independence, risk management and quality control purposes for communication carried out in line with the purpose of ensuring the legal and commercial security of the Company and those who have a business relationship with the Company,
  • Relationship management, account management, internal financial reporting, provision of information technology (IT) services (including storage, hosting, maintenance, support, use of a centrally distributed server system)
  • Processes and operations, financial operations, communication, market research and social responsibility activities carried out in line with the purpose of determining and implementing the commercial and business strategies of the Company, execution of purchasing operations (demand, offer, evaluation, order, budgeting, contract)
  • Determination and implementation of company commercial and business strategies, in-house system and application management,
  • Planning, auditing and execution of information security processes, creation and management of information technology infrastructure,
  • Planning and execution of employee satisfaction and/or loyalty processes, planning and execution of fringe benefits and benefits for employees, planning and execution of employees’ access to information, monitoring and/or auditing of employees’ business activities,
  • Follow-up of finance and/or accounting and legal affairs,
  • Planning and execution of market research activities for sales and marketing and/or promotion of business activities and services,
  • Planning and execution of business partners and/or suppliers’ access to information, management of relations with business partners and/or suppliers,
  • Planning and execution of corporate communication activities, planning and/or execution of corporate risk management activities, planning and execution of corporate sustainability activities, planning and execution of corporate governance activities,
  • Planning and execution of customer relationship management processes, planning and/or monitoring of customer satisfaction processes, tracking customer requests and/or complaints,
  • Fulfillment of obligations based on employment contracts and/or legislation for company employees,
  • Ensuring the security of company inventory and/or resources,
  • Planning and execution of external training activities,
  • Planning and execution of operational activities necessary to ensure that company activities are carried out in accordance with company procedures and/or relevant legislation,
  • Ensuring that the data is correct and up-to-date,
  • Planning and execution of skills and career development activities,
  • Providing information based on legislation to authorized persons and/or organizations,
  • Establishing and tracking visitor records and ensuring the security of company premises and facilities.
  • Şirket hukuk işlerinin icrası ve takibi
  • Storing of information on data that must be kept in accordance with the relevant legislation, fulfillment of legal obligations
  • Execution and monitoring of company legal affairs

 

  • TRANSFERRING PERSONAL DATA

Domestic Transfer of Personal Data

The company is under the responsibility of acting in accordance with the decision and relevant regulations stipulated in the Personal Data Protection Board and taken by the Personal Data.

Personal data and sensitive data which belongs to the persons concerned cannot be transferred by the Company to other natural persons or legal entities without the express consent of the person concerned. In so far, in cases where Personal Data Protection Board and other laws make it mandatory, the data may be transferred to the authorized administrative or judicial institution or organization in the manner stipulated in the legislation and within the limits, without the explicit consent of the person concerned.

In addition, in cases stipulated in Articles 5 and 6 of the Law, transfer is possible without the consent of the person concerned. Our company, in accordance with the conditions stipulated in the Law and other relevant legislation and taking all the security measures specified in the legislation, if there is an existing contract signed with the data owner, to third parties in Turkey unless otherwise regulated in the present agreement and the Law or other relevant legislation and to other companies that are members of the Company network within the hierarchy of the Company. Our company obtains explicit consent from the people whose data is transferred to inside the country.

  • Transfer of Personal Data Abroad

Our company may transfer personal data to third parties in Turkey, in accordance with the conditions stipulated in the Law and other relevant legislation, as stated above, including the use of outsourcing, to be processed in Turkey or to be processed and stored outside of Turkey, by taking all security measures specified in the legislation. If there is an existing contract signed with the data owner, it can also be transferred abroad unless otherwise regulated in the said contract and the Law or other relevant legislation.

In exceptional cases where explicit consent is not sought for the transfer of personal data specified in the Personal Data Protection Board, in addition to the conditions of processing and transfer without consent, sufficient protection is required in the country to which the data will be transferred. The Personal Data Protection Board will determine whether adequate protection is provided; In the absence of adequate protection, data controllers in both Turkey and the relevant foreign country must undertake an adequate protection in writing and must have the permission of the Personal Data Protection Board. Our company obtains explicit consent from the persons whose data is processed.

  • Institutions and Organizations for Transfer

Information requested by public legal entities within the scope of their legislation is shared in accordance with Article 8 of the Personal Data Protection Board. Other persons or organizations to whom personal data can be transferred for the above-mentioned purposes are as follows; In order to carry out activities as subsidiaries and/or direct/indirect domestic/foreign Company to be responsible together with the Company in taking data security measures such as the protection of all kinds of personal data, the prevention of unauthorized access and the prevention of their unlawful processing, services are received within the scope of the relevant contracts, in cooperation are the national/foreign organizations that are program partners, relevant public institutions and organizations, relevant department heads and other 3rd parties.

  • PERSONAL DATA PROCESSING ACTIVITIES IN BUILDING ENTRANCES AND INSIDE THE BUILDING AS WELL AS WEBSITE VISITORS

Personal data processing activities carried out by our company in the building corridors and in the office are carried out in accordance with the Constitution, Personal Data Protection Board and other relevant legislation. In order to ensure security, our company carries out surveillance activities with security cameras in the corridors and interiors of the offices in the buildings where the workplaces are located. For security reasons, additional data records are taken at the entrances for the guests.

The following personal data processing activities are carried out by our Company: Using security cameras, door cards, face recognition system, biometric data processing and recording at the entrance for purposes such as increasing the quality of the provided service, ensuring its reliability, ensuring the safety of life and property of the company, data owner, employees and other persons, and protecting the legitimate interests of these persons.

The main purpose of maintaining the video camera monitoring activity by the company is to provide security and it is limited to the purposes listed in this policy. In this direction, the monitoring areas, the number of security cameras and the time of monitoring are implemented as sufficient to achieve the security purpose and in a limited manner for this purpose. The privacy of the person is not subject to monitoring in areas that may result in interference beyond security purposes. Necessary technical and administrative measures are taken by the company in accordance with Article 12 of the Personal Data Protection Board.

A limited number of Company employees and subcontractor security personnel are able to access the records recorded and maintained in the digital environment. Persons who have access to the records are under the obligation to protect the confidentiality of the data within the framework of a confidentiality agreement or information security commitment.

  • RIGHTS OF THE PERSON whose PERSONAL INFORMATION IS PROCESSED BY THE COMPANY

Real persons whose personal data are processed by our Company by applying to our Company in accordance with the procedures set forth in this policy;

  • Learning whether personal data is processed or not,
  • If personal data has been processed, requesting information about it,
  • To learn the purpose of processing personal data and whether they are used in accordance with the purpose,
  • Knowing the third parties to whom personal data is transferred in the country or abroad,
  • Requesting correction of personal data in case of incomplete or incorrect processing,
  • Requesting the deletion or destruction of personal data in the event that the reasons for processing disappear, although it has been processed in accordance with the provisions of the relevant law,
  • Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data has been transferred,
  • Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automated systems. For example, the employee’s objection to his own performance analysis, the work done by him, being processed and analyzed in an automated system and analyzed according to the analysis result will be evaluated within this scope.
  • It has the right to demand the compensation of the loss in case of loss due to unlawful processing of personal data.
  • STORAGE OF PERSONAL DATA

By our company; Personal data belonging to third parties, institutions or organizations that are in contact as employees, employee candidates, visitors and service providers are stored and destroyed in accordance with the Law. In this context, detailed explanations regarding storage and disposal are given below, respectively.

In Article 3 of the Law, the concept of processing personal data is defined, in Article 4 it is stated that the personal data processed should be related to the purpose for which they are processed, as well as limited and measured, and should be stored during the period required for the purpose for which they are processed or as stipulated in the relevant legislation.
In Articles 5 and 6, the processing conditions of personal data are listed. Accordingly, personal data obtained within the framework of our company’s activities are stored for a period of time stipulated in the relevant legislation or suitable for our processing purposes. In our company, personal data processed within the framework of our activities are kept for the period stipulated in the relevant legislation. In this context, personal data;

  • Law on Protection of Personal Data No. 6698,
  • Turkish Code of Obligations No. 6098,
  • Public Procurement Law No. 4734,
  • Civil Servants Law No. 657,
  • Social Insurance and General Health Insurance Law No. 5510,
  • Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts,
  • Public Financial Management Law No. 5018,
  • Occupational Health and Safety Law No. 6331,
  • Law on Access to Information No. 4982,
  • Law No. 3071 on the Use of the Right to Petition,
  • Labor Law No. 4857,
  • Higher Education Law No. 2547,
  • Retirement Health Law No. 5434,
  • Social Services Law No. 2828
  • Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Premises,
  • Regulation on Archive Services
  • is stored for the periods stipulated within the framework of other legal regulations and other secondary regulations in force in accordance with these laws.

Our company is responsible for carrying out the recruitment and human resources processes of the personal data that it processes within the framework of its activities, ensuring corporate communication, protecting the interests of the data controller and ensuring company security, performing business and transactions as a result of signed contracts and protocols, determining the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors within the scope of Personal Data Protection Board, organizing the services provided accordingly and updating them if necessary, ensuring the fulfillment of legal obligations as required or mandated by legal regulations, contacting real / legal persons who have a business relationship with the company, making reports, fulfilling the burden of proof as evidence in legal disputes that may arise in the future, ensuring occupational health and safety, to ensuring physical space safety and keeping it for the periods specified in the relevant laws in line with other reasons specified in the laws and necessary for the execution of the business.

  • TECHNICAL AND ADMINISTRATIVE MEASURES TO KEEP PERSONAL DATA

In accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law, in accordance with the adequate measures determined and announced by the Board for personal data in order to store personal data securely, to prevent illegal processing and access, and to destroy personal data in accordance with the law, our Company has provided technical assistance and administrative measures.

 

  • DELETING, DESTRUCTION AND ANONYMIZATION, DISPOSAL OF PERSONAL DATA

Even though the personal data has been processed in accordance with the provisions of the relevant law in line with the regulation of Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Board, in case the reasons requiring processing are eliminated, on the basis of the Company’s own decision or if the personal data owner requests it personal data is deleted, destroyed or anonymized. In accordance with the provisions of the relevant legislation, our company reserves the right not to fulfill the request of the data owner in cases where it has the right and/or obligation to preserve personal data.

When personal data is processed by non-automatic means, provided that it is a part of any data recording system, a system of physical destruction of personal data is applied while the data is being deleted/destroyed so that it cannot be used later. When the company agrees with a person or organization to process personal data on its behalf, personal data is securely deleted by these people or organizations in a way that cannot be recovered.

 

Our company acts within the framework of the following principles in the storage and destruction of personal data:


  1. In the deletion, destruction and anonymization of personal data, the Law and the provisions of the relevant legislation, Board decisions and this Policy are fully complied with.
  2. All procedures regarding the deletion, destruction and anonymization of personal data are recorded by the Company and these records are kept for at least 3 (three) years, excluding other legal obligations.
  3. Unless a contrary decision is taken by the Board, the appropriate method of deletion, destruction or anonymization of personal data ex officio is chosen by us. However, upon the request of the Relevant Person, the appropriate method will be chosen by explaining the reason.
  4. In the event that all the conditions for processing personal data in Articles 5 and 6 of the Law are no longer valid, the personal data is deleted, destroyed or anonymized by the Company ex officio or upon the request of the person concerned. In case the Related Person applies to the Company in this regard submitted requests are answered within 30 (thirty) days at the latest. In case data subject to the request has been transferred to third parties, this situation is notified to the third party to which the data is transferred and necessary actions are taken by the third parties.

Personal data of data owners are stored by our Company within the limits specified in the Law and other relevant legislation, especially for (i) to continue commercial activities, (ii) to fulfill legal obligations, (iii) to plan and fulfill employee rights and fringe benefits.

Regarding the personal data processed by our company within the scope of our activities and legal obligations; Personal data-based storage periods for all personal data within the scope of activities carried out in connection with processes are in the Personal Data Processing Inventory; Storage periods on the basis of data categories are recorded in VERBIS.

If necessary, updates on the mentioned storing periods are made by the Personal Data Protection Commission. For personal data whose storage period has expired, ex officio deletion, destruction or anonymization is carried out by the Personal Data Protection Commission.

In accordance with the relevant legislation, our company has determined the period of periodic destruction as 6 months. Accordingly, periodic destruction is carried out in our Company every year in June and December. All procedures regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least 3 (three) years, excluding other legal obligations.

  • USE OF THE PERSONAL DATA OWNER’S RIGHTS

As a personal data owner, you can submit your requests regarding your rights listed above by filling in and signing the Application Form at the link www.zelglobal.com together with the information and documents that will help us to identify you and pass it to the following address: CNG Cengiz Tedarik Dış Tic. Ltd. Sti. Bagyurt Yeni Mah. Ova Yolu Cluster Houses No.78-A /1 Kemalpaşa – İZMİR; You can submit the application form to our company’s Human Resources department against signature or send it to our address info@zelglobal.com with the title of “KVKK (Personal Data Protection Board) Application”. For third parties to apply on behalf of personal data owners, a special power of attorney issued by the data owner through a notary on behalf of the person to apply must be present.

If the personal data owner submits his request to our company, the relevant request is finalized within thirty days at the latest, depending on the nature of the request. In case the transaction requested by the personal data owner requires a separate cost, the fee in the tariff determined by the Board may be requested separately. In case the application is caused by the fault of the data controller, the fee taken is returned to the relevant person.

Our company may request information and documents from the person concerned in order to determine whether the applicant is the owner of personal data. Our company may ask questions about the personal data owner’s application in order to clarify the aspects in the personal data owner’s application.

Our company may reject the application of the applicant by explaining the reason, in the following cases:

  • Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
  • Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  • Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
  • The processing of personal data is necessary for the prevention of crime or for criminal investigation.
  • Processing of personal data made public by the personal data owner.
  • The processing of personal data is required by the authorized and competent public institutions and organizations and public professional organizations for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
  • The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
  • The possibility of the personal data owner’s request to prevent the rights and freedoms of other persons.
  • Requests that require disproportionate effort
  • The requested information is publicly available information.
  • SITUATIONS WHERE THE PERSONAL DATA OWNER CANNOT PUT FORTH HIS RIGHTS

Kişisel veri sahipleri, KVKK’nın 28. maddesi gereğince aşağıdaki haller KVK Kanunu kapsamı dışında tutulduğundan, kişisel veri sahiplerinin bu konularda yukarıda sayılan haklarını ileri süremezler:

Since the following cases are excluded from the scope of the Law on Protection of Perfsonal Data pursuant to Article 28 of the Personal Data Protection Board, personal data owners cannot claim the above-mentioned rights in these matters:

  • Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
  • Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  • Kişisel verilerin soruşturma, kovuşturma, yargılama veya infaz işlemlerine ilişkin olarak yargı makamları veya infaz mercileri tarafından işlenmesi.
  • Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

According to article 28/2 of Personal Data Protection Law; In the cases listed below, personal data owners cannot claim other rights of theirs listed in 9, except for the right to demand the compensation of the damage:

  • The processing of personal data is necessary for the prevention of crime or for criminal investigation.
  • Kişisel veri sahibi tarafından kendisi tarafından alenileştirilmiş kişisel verilerin işlenmesi.
  • Processing of personal data made public by the personal data owner.
  • The processing of personal data is required by the authorized and competent public institutions and organizations and public professional organizations for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
  • Kişisel veri işlemenin bütçe, vergi ve mali konulara ilişkin olarak Devletin ekonomik ve mali çıkarlarının korunması için gerekli olması.
  • The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
  • OTHER MATTERS

In case of inconsistency between KVKK and other relevant legislation provisions and this Policy, KVKK and other relevant legislation provisions will be applied first.

This Policy, prepared by our company, which is the data controller, has entered into force in accordance with the decision taken by the Company’s Board of Directors.

CNG CENGİZ TEDARİK DIŞ TİCARET LİMİTED ŞİRKETİ
VERİ SAHİBİ BİLGİ BAŞVURU FORMU

CNG CENGİZ SUPPLY FOREIGN TRADE LIMITED COMPANY

DATA OWNER INFORMATION APPLICATION FORM

 

 

 

Dear Applicants,

The protection of personal data, which is a constitutional right, is given utmost importance by our company. Personal data owners (“Applicant”), defined as the relevant person in the Personal Data Protection Law No. 6698 (“KVK Law”), have been granted the right to make various requests regarding the processing of personal data with Article 11 of the Personal Data Protection Law. In accordance with the Personal Data Protection Law, the applications to be made to our Company, which is the data controller, regarding these rights must be submitted to us in writing or by other methods determined by the Personal Data Protection Board (“Board”).

Your applications, which you send to us in writing through the following channels, will be finalized free of charge within 30 days at the latest from the date your request is received by our Company, in accordance with Article 13 of the Personal Data Protection Law. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be requested from you.

  • IDENTITY AND CONTACT INFORMATION OF THE PERSONAL DATA OWNER

Your personal data, which must be submitted by you within the scope of this form, are collected only for the purpose of evaluating and finalizing your application and communicating with you, and are not subject to data processing for other purposes.

Data Controller: CNG Cengiz Tedarik Foreign Trade Limited Company

Applicant’s Name – Surname:

T.R. Identification number :

Phone number :

Address :

E-mail address :

REGISTERED ADDRESS (If any):

Your Relationship with Our Company:

(Customer, visitor, business partner, employee candidate,

ex-employee, third-party firm employee, shareholder, etc.)

 

Is Your Relationship With Our Company Still Continuing?

  • INFORMATION RELATING TO THE RIGHT TO BE USED BY THE PERSONAL DATA OWNER

(Please tick the circles next to the statement that fits your request)

  • I want to know whether your company processes personal data.
  • If you are processing personal data, I request information about these data processing activities.
  • If you are processing personal data, I would like to learn about the purpose of processing and whether they are used in accordance with the purpose of processing.
  • If my personal data is transferred to third parties at home or abroad, I want to know these third parties.
  • Since my personal data is incomplete or incorrectly processed, I want it to be corrected.
  • Although my personal data has been processed in accordance with the legislation, I want my personal data to be deleted.
  • I want my personal data, which I think is incomplete and wrongly processed, to be corrected by the third parties to whom it was transferred.
  • I want my personal data, which I request to be deleted, to be deleted by the third parties to whom it was transferred.
  • I believe that my personal data processed by your company is analyzed exclusively through automated systems and as a result of this analysis, there is a negative result for me. I object to this result.
  • Other : …………………………..

EXPLANATION ABOUT THE REQUEST:

  • HOW TO SUBMIT YOUR RESPONSE TO YOUR APPLICATION
  • Send it to my address.
  • Send it to my e-mail address.
  • After you give information by phone, I will receive it by hand.
  • STATEMENT OF THE APPLICANT

This application form has been prepared to determine your contact with our company, CNG Cengiz Tedarik Dış Ticaret Limited Şirketi, and to identify your personal data, if any, processed by our Company, in order to respond to your application properly. In order to prevent mistakes and ensure the security of your personal data, our company has the right to request additional documents and information (copy of identity card or driver’s license, etc.) for identification and authorization. Our company is not responsible for legal and criminal liability arising from unlawful, misleading or false applications, if the information regarding your requests within the scope of this application form is not correct and up-to-date, or if there is an unauthorized application.

  • ATTACHMENTS

(Please indicate if there is any document you want to attach in your application.)

  • APPLICATION PROCEDURE

You can send your written application that you want to make by filling out this form to our company address CNG Cengiz Tedarik Dış Tic. Ltd. Sti. Bagyurt Yeni Mah. it to Ova Yolu Cluster Houses No.78-A /1 Kemalpaşa – İZMİR with a wet signature, by mail, physically to the Human Resources department manager of our company against signature, or to our e-mail address info@zelglobal.com with the title of “KVKK Application”.

Personal Data Owner

Name and surname :

Application date :

Signature:

 

Persons Applying On Behalf Of Someone Else

(People who apply on behalf of someone else should send documents showing that they are authorized to apply (notarized power of attorney, etc.) attached to the application.)

CNG Cengiz Tedarik Dış Ticaret Limited Şirketi

Name and surname :

Application date :

Signature:

 

Thank you,

CNG Cengiz Supply Foreign Trade Limited Company