PROCESSING AND PROTECTION OF PERSONAL DATA POLICY

Home/PROCESSING AND PROTECTION OF PERSONAL DATA POLICY
DOCUMENT DATE:

/ … / 2019

 
PROCESSING AND PROTECTION OF PERSONAL DATA POLICY
 

 
CONTENTS

1. ENTRY

2. PURPOSE AND SCOPE OF THE POLICY

3. IMPLEMENTING THE POLICY AND PPD REGULATIONS

4. DEFINITIONS

5. PRINCIPLES TO BE APPLIED IN THE PROCESSING OF PERSONAL DATA

6. PROCESSING OF PERSONAL DATA AND PERSONAL DATA OF SPECİAL NATURE IN PPD REGULATIONS   

    PROCESSING BASED ON AND LIMITED TO THESE TERMS

7. ERASURE, DESTRUCTION AND ANONYMIZING OF PERSONAL DATA

8. TRANSFER OF PERSONAL DATA AND PROCESSING BY THIRD PARTIES

9. THE RIGHTS OF THE OWNER OF PERSONAL DATA AND THE EXERCISE OF THESE RIGHTS

10. PROTECTION OF PERSONAL DATA

11. CLASSIFICATION OF PERSONAL DATA PROCESSED BY STONE
 
 
 
1. INTRODUCTION

Data Controller;  STONETERROIR DOĞAL TAŞ VE MADENCİLİK SAN.ve TİC. A.Ş. (STONE/referred to as the company) is aware of that customer’s, employee’s and other related natural person’s personal data is very important and their personal data should be protected as it is stated in related legal regulations; in fact STONE is transforming it’s policy around this knowledge and liability.

This policy sets out the principles which STONE must follow within the company and/or by the company when performing it’s obligations to protect personal data in accordance with PPD regulations and when processing personal data. In this context, the necessary arrangements are made by STONE for  processing and protecting personal data in accordance with the PPD regulations and the necessary system is established for the formation of awareness.

STONE, as the data controller, declares that he will comply with the policy and the procedures to be applied in accordance with the policy.
 
 
 
2. PURPOSE AND SCOPE OF THE POLICY

The purpose of this policy is to explain and set out the principles of the process and the systems adopted by STONE for the protection of personal data, which are carried out in accordance with PPD regulations.  This policy’s and other written policies’ main aim is to protect and process the personal data lawfully.

This policy applies to all activities conducted by STONE for the  purpose of processing and protection of personal data and relates to customers, our employees, our previous employees, employee candidates, our suppliers and third parties whose personal data is processed by an automated data recording system or by any recording system.

This policy does not apply to data that does not qualify as personal data.

This policy may be amended from time to time, if it is required by PPD regulations or if STONE finds it necessary, in accordance with changes to the purposes of processing and transferring personal data and the methods of collection.
 
 
 
3. IMPLEMENTATION OF POLICY AND PPD REGULATIONS

In the process of processing and protection of personal data, PPD regulations shall be implemented first, and in the event of any incompatibility between these regulations and the policy provisions, PPD regulations shall apply.

The update table is enclosed in Appendix 1.
 
 
 
4. DEFINITIONS

Personal data: All information related to a natural person whose identity is known or could be identified. (In scope of this Policy, “personal data” contains “personal data of special nature” as long as it is applicable)

Personal Data of Special Nature: Race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, Association, Foundation or trade union membership, health, sexual life, criminal convictions and security measures with biometric data and genetic data.

Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.

LPPD: Law No. 6698 on the protection of personal data.

PPD Regulations: Law No. 6698 on the Protection of Personal Data with Protection of Personal Data regulations, notifications and related legislation, the Personal Data Protection Board decisions, Court rulings and international treaties and all other applicable legislation for the protection of data.

Data Controller: The natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system

Data Processor: The natural or legal person who processes personal data on behalf of the controller upon his authorization,

Personal Data Owner: The actual person whose personal data is processed by or on behalf of STONE

Third Party: Natural persons whose personal data is processed under the policy, who are not defined differently under the policy.

Data registry system: The registry system which the personal data is registered into through being structured according to certain criteria,

Explicit consent: Freely given, specific and informed consent,

Anonymizing: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,

Application form: Application Form containing the application to be made to data controller by data subject (personal data owner) in order to use its rights, which is prepared in accordance with the Law No. 6698 on the Protection of Personal Data and the Communiqué on the Procedures and Principles of Application to the Data Controller.

Employee candidate: Natural persons who have applied for a job with STONE by any means or who have opened their resume and related information to Stone’s review.

Visitors: Natural persons who have entered the physical sites owned by STONE for various purposes or who have visited our websites.

Board: Personal Data Protection Board

Policy: The policy of processing and protection of personal data.
 
 
 
5. PRINCIPLES TO BE APPLIED IN THE PROCESSING OF PERSONAL DATA

5.1. Processing personal data in lawfully manners and conformity with rules of bona fides

STONE acts in accordance with the Law and the rules of bona fides during the processing of personal data, takes into account the principles of proportionality and necessity, and processes personal data at a level that is appropriate for the purposes of data processing.

5.2. Keep personal data accurate and up-to-date when neccessary

Keeping personal data accurate and up to date is a must to protect fundamental rights and liberties of data subject and STONE takes all necessary measures to do so and update the data if it is requested by data owner.

5.3. Processing personal data for specific, explicit and legitimate purposes

STONE sets out the aim of processing data on legal grounds and in a clear and exact way. STONE is processing the personal data related to and limited to the necessity of it’s business operations and product and services; and states the aim clearly before processing the data; in this way, the data owner is informed by STONE and if necessary according to PPD regulations, the explicit consent of data owner is received.

5.4. Processing personal data relevant with, limited to and proportionate to the purposes for which they are processed

STONE processes personal data in a way that is conducive to the realization of the stated objectives and avoids the processing of personal data that is not relevant to the realization of the purpose or is not needed. In this context, no personal data processing activity is carried out to meet the needs that may arise later. STONE processes personal data only in cases limited to the scope of the PPD regulations (LPPD articles 5.2 and 6.3) or for the purpose under the explicit consent of the personal data owner (LPPD articles 5.1 and 6.2) and in accordance with the principle of proportionality.

5.5. Retain personal data for as long as is required by or for the purpose for which they are processed in the PPD Regulations

STONE only retains personal data for the period of time stipulated by PPD Regulations or the purpose for which they are processed; in this context, STONE first determines whether the PPD regulations stipulate a period for the storage of personal data; if a time period is stated, STONE acts in accordance with that period of time; if the duration is not stated, it; in the event of the termination of the period or the reasons that require processing are eliminated, personal data is erased, destroyed or anonymized according to the nature of the data and the purpose of use in accordance with the obligations under the PPD regulations.
 
 
 
6. PROCESSING OF PERSONAL DATA AND PERSONAL DATA OF SPECIAL NATURE BASED ON AND LIMITED TO THE PROCESSING REQUIREMENTS IN THE PPD REGULATIONS

6.1. Processing Of Personal Data

STONE processes personal data based on one or more of the requirements of Article 5 of the LPPD regarding the processing of personal data; in accordance with Article 10 of the LPPD, it informs the data owner and provides the necessary information when the personal data owner request information.

6.1.1. Explicit Consent

One of the conditions for the processing of personal data is the explicit consent of the data owner and it is processed after informing the data owner within the scope of the fulfillment of the obligation to inform and when the data owner give explicit consent. Personal data owners are notified of their rights before explicit consent is obtained under the obligation to inform.

6.1.2. Processing Of Personal Data Without Explicit Consent

In cases where the processing of personal data without seekin explicit consent is  stipulated under the PPD regulations (LPPD articles 5.2 and 6.3), STONE will be able to process personal data without the explicit consent of the data owner, and in the case of such processing of personal data, the company will process personal data within the limit’s set by the PPD regulations. The basis of personal data processing activity may be only one of the conditions stated below, or more than one of these conditions may be the basis of the same personal data processing activity.

6.1.2.1. The personal data of the data owner may be processed lawfully if it is clearly provided for by the laws.

6.1.2.2. Personal data may be processed by STONE without seeking explicit consent if it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.

6.1.2.3. Personal data belonging to the parties related to that contract may be processed by STONE without the explicit consent of the data owners, provided that it is directly related to the establishment, execution, execution or termination of a contract.

6.1.2.4. STONE may process personal data without seeking the explicit consent of the data owner if it is mandatory for the controller to be able to perform his legal obligation.

6.1.2.5. Personal data concerned is made available to the public by the data subject himself may be processed by STONE without explicit consent.

6.1.2.6. If the processing of personal data without seeking explicit consent is mandatory for the establishment, exercise or protection of any right the personal data may be processed by STONE without explicit consent.

6.1.2.7. Personal data may be processed by STONE without seeking explicit consent if it is mandatory for the legitimate interests of STONE, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

6.2. Processing Of Personal Data of Special Nature

STONE complies with the regulations prescribed for the processing of personal data of special nature in accordance with Article 6 of the LPPD. If the personal data owner does not have an explicit consent according with Article 6 than personal data of special nature may only be processed with the adequate measures taken which is determined by the Board in the following cases:

6.2.1. Personal data of special nature other than health and sexual life of personal data owner, in cases prescribed by Law,

6.2.2. Personal data of special nature relating to the health or sexual  life of data owner may only be processed by any person or authorised public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing,

6.2.3. In this context, STONE determines whether the personal data processing activities fall within the scope of one of these terms and ceases personal data processing activities that are not based on one of these terms. During the processing of personal data of special nature, measures determined by the Board are taken.
 
 
 
7. ERASURE, DESTRUCTION AND ANONYMIZING OF PERSONAL DATA

7.1. STONE erases, destroys or anonymizes the personal data at it’s own discretion or at the request of the personal data owner in the event that the grounds for data processing are eliminated, even though it has been processed in accordance with the provisions of the relevant Law, as set out in Article 7 of the LPPD. STONE has established a policy in this regard in accordance with the provisions of the Regulation on the Erasure, Destruction or Anonymizing of Personal Data, and in accordance with this policy it destroys the data according to it’s nature. In this context, periodical disposal dates have been determined by STONE and a calendar has been established according to the periodic disposal of the data at various intervals with the beginning of the obligation.

7.2. Personal Data Erasure, Destruction And Anonymization Techniques

7.2.1. The most commonly used erasure or destruction techniques by STONE are listed below

7.2.1.1. Physical destruction: Personal data can also be processed by non-automatic means, provided that it is part of any data recording system. When deleting/destroying such data, a system of physical destruction of personal data is implemented so that it cannot be used later.

7.2.1.2. Secure erasure from software: When deleting/destroying data that is processed in completely or partially automated ways and stored in digital media, methods are used to erase data from the software so that it can never be recovered.

7.2.1.3. Secure erasure by expert: STONE may in some cases agree with an expert to erase personal data on his or her behalf. In this cases, personal data will be securely erased/destroyed so that it will never be recovered by any expert on this subject.

7.2.2. The most commonly used anonymizing techniques by STONE are listed below

7.2.2.1. With data masking, the primary determinant of personal data is extracted from the data set and the personal data is made anonymous.

7.2.2.2. With the consolidation method, many data are aggregated and for that reason personal data cannot be associated with any person.

7.2.2.3. By means of data derivation, a more general content is created than the content of personal data, making the personal data that cannot be associated with any person.

7.2.2.4. The data hash method combines the values in the personal data set to break the link between the values and the contacts.

In accordance with Article 8 of the LPPD, personal data that has been anonymized may be processed for purposes such as research, planning and statistics. Such transactions are outside the scope of LPPD and the explicit consent of the personal data owner will not be sought.
 
 
 
8. TRANSFER OF PERSONAL DATA AND PROCESSING BY THIRD PARTIES

8.1. STONE may transfer personal data to third parties in Turkey and abroad as processed or to be processed and to be stored abroad, as given in the specifications stipulated in the LPPD, including outsourcing and by taking all the safety measures. If there is a signed contract with the data owner and if that contract and the PPD regulations allow, the data may be transferred abroad.

8.2. In the event that STONE transfers personal data to a third party, STONE also ensures that third parties to whom it transfers personal data, will comply with this policy either. In this context, necessary protective arrangements are added to the contracts concluded with the third party. STONE takes necessary technical and administrative measures to prevent rights violations during the transfer of data to third parties.

8.3. STONE reports to the personal data owner the groups of persons to whom personal data is transferred in accordance with Article 10 of the LPPD.

8.4. STONE acts in accordance with Articles 8 and 9 of the LPPD  in accordance with the regulations laid down in the Law on the transfer of personal data and set forth by the Board. Personal data collected and processed for the purposes specified in this policy, in accordance with the personal data processing conditions and purposes specified in articles 8 and 9 of the LPPD and the explicit consent of it’s employees, may be transferred to the following persons and organizations:

8.4.1. The company receiving technical payrolling service (limited to transferring the necessary data for payrolling for payrolling purposes )

8.4.2. Employee satisfaction survey to the organization (for the purpose of delivering the survey to the employees, it is limited to the transfer of postal addresses.

8.5. Transfer Of Personal Data To Third Parties In Turkey

In accordance with the Law, STONE may transfer the personal data of the personal data owner and the personal data of the private person to third parties by taking the necessary security measures for the purposes of processing the personal data. In the absence of adequate protection, personal data may be transferred by STONE to foreign countries that declared to have adequate protection by the Board, or to foreign countries where data controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and have the permission of the Board.

STONE is under the responsibility of acting in accordance with the decisions taken by the Board and the relevant regulations provided for in the LPPD regarding the transfer of personal data. Personal data and sensetive data of related parties by STONE may not be transferred to other natural persons or legal entities without the explicit consent of the related person. Personal data may be transferred by STONE to third parties located in Turkey (articles 5.1 and 6.2) without explicit consent in exceptional circumstances as set out in Article 5.2 and 6.3 of the LPPD, or in other cases on the condition that the explicit consent of the holder of the personal data is obtained. If there is an existing contract signed with the personal data owner, STONE may transfer personal data to third parties in Turkey and to other companies that are members of the Stone network under the umbrella of STONE, in accordance with the requirements set out in LPPD and other relevant legislation and by taking all security measures specified in the legislation, unless otherwise provided in.

8.6. Transfer Of Personal Data To Third Parties Abroad

Personal data may be transferred by STONE to third parties abroad (articles 5.1 and 6.2) without explicit consent in exceptional circumstances as set out in articles 5.2 and 6.3 of the LPPD, or in other cases on the condition that the explicit consent of the holder of the personal data is obtained. In the event that personal data is transferred without explicit consent in accordance with the provisions of the Law, one of the following conditions is required in respect of the foreign country in which it will be transferred:

8.6.1. The foreign country where the data will be transferred should be at the status by the Board that there is adequate protection,

8.6.2. If the foreign country is not stated as a safe country on the Board’s list, STONE’s and the beforesaid country’s data controllers should be permitted that they will provide the adequate measures by the Board in writing.
 
 
 
9. THE RIGHTS OF THE OWNER OF PERSONAL DATA AND THE EXERCISE OF THESE RIGHTS

9.1. The rights of the personal data owner are listed below:

9.1.1. Learning whether personal data is processed,

9.1.2. Request information if personal data has been processed,

9.1.3. Learning the purpose of processing personal data and whether they are used in accordance with their purpose,

9.1.4. Know the third parties from which personal data is transferred domestically or abroad,

9.1.5. To request to correct the incomplete or improperly processed data to be corrected and to notify the third parties to whom the personal data was transferred,

9.1.6. To request the erasure or destruction of personal data in case the reasons for it’s processing are eliminated, even though it has been processed in accordance with PPD regulations, and to request that the transaction performed in this context to be notified to third parties to whom the personal data was transferred,

9.1.7. To object to the conclusion in the event of a result against the person itself, by analyzing the processed data exclusively through automated systems,

9.1.8. To request compensation if the data is not processed according to PPD regulations.

9.2. STONE informs the data owner about his rights according to Article 10 of LPPD and guide the data owner about the way to use his rights according to Article 11 of LPPD.

9.3. In order to assess the rights of personal data owners and to provide the necessary information to data owners, STONE carries out the necessary channels, internal functioning, administrative and technical arrangements according to Article 13 of LPPD.

9.4. Conditions where the owner of personal data cannot assert his rights

As the following conditions are excluded from the scope of LPPD according to Article 28, the personal data owner cannot assert his rights in these matters as mentioned in 9.1:

9.4.1. Processing of personal data for purposes such as research, planning and statistics by being anonymous with official statistics,

9.4.2. Personal data of national defense, national security, public safety, public order, economic security, not to violate privacy or personal rights or did not constitute a crime, provided that art, history, literature, or scientific purposes or for processing within the scope of freedom of expression,

9.4.3. Personal data of national defense, national security, public safety, public order, or public law duties and powers granted by the provision of economic security conducted by the institutions as well as preventive, protective, and intelligence activities within the scope of processing,

9.4.4. Processing of personal data by judicial authorities or execution authorities in relation with investigations, prosecutions, trials or executions.

In accordance with article 28/2 of LPPD, in the cases listed below, the personal data owner may not assert any other rights listed in 9.1. except for the right to claim for damages:

9.4.5. Personal data processing is required to prevent or investigate a crime,

9.4.6. Processing of personal data made public by the data owner himself,

9.4.7. Personal data processing is required by the competent public institutions and organizations and professional organizations of the nature of public institutions to conduct supervision or regulation duties and to conduct disciplinary investigation or prosecution based on the authority given by the Law,

9.4.8. Personal data processing is essential for protecting the economic and financial interests of the State in relation with budget, tax and fiscal matters.

9.5. Exercise the rights of the personal data owner

9.5.1. The personal data owner will be able to submit its requests for the rights set out in this policy free of charge to STONE by filling in and signing the application form with information and documents to identify their identity and by the methods specified below or by other methods determined by the Board. In addition, as the owner of personal data, you must add the information and documents related to your request to your application.

You can submit your request to learn more about STONE’s compliance with PPD regulations and policies and to exercise your related rights you can reach STONE through the channels listed below:

*our address for personal application: Maslak, Meydan Sok. Beybi Giz Plaza No:1/A, 34398 Şişli/İstanbul

*our address for written application : Maslak, Meydan Sok. Beybi Giz Plaza No:1/A, 34398 Şişli/İstanbul

*registered e-mail address: stoneterroir@hs03.kep.tr

*our e-mail address: kvkkomite@stoneterroir.com (“request for information under the protection of personal data legislation ” should be written as subject.) You can convey your concerns through this e-mail address to STONE.

The application should be submitted with the information listed below in accordance with the Annuciation on the Procedures and Principles of Application to the Data Controller, to be considered as a valid application:

9.5.1.1. Name, surname and signature if the application is written,

9.5.1.2. For the citizens of the Republic of Turkey identification number, nationality for foreigners, passport number or ID number if any,

9.5.1.3. Address of settlement or place of business based on notification,

9.5.1.4. E-mail address, telephone and fax number based on notification, if any,

9.5.1.5. Subject to demand.

Otherwise the application will not be considered a valid application. In the event that the applications that is made without filling out the application form, applicants shoould submit the information listed here to STONE.

In order to request an application on behalf of the data owner, a special power attorney through a notary is needed.

9.5.2. In the event that the owner of the personal data conveys the request to STONE, STONE will conclude the request within thirty days at the latest, depending on the nature of the request. If the transaction requested by the data owner requires a separate cost, the fee may be charged at the tariff determined by the Board. If the application is due to STONE’s error, the fee will be refunded to the person concerned. STONE may request information from the person concerned to determine whether the applicant has personal data. In order to clarify the matters contained in the personal data owner’s application, STONE may ask the personal data owner about his application. STONE accepts or rejects the request by explaining it’s ground and informs the person concerned in writing or electronically. If the request in the application is accepted, STONE will fulfill the requirement.

9.5.3. STONE may reject the application on grounds stated in 9.4 and/or below, by stating the ground for rejection.

9.5.3.1. The personal data owner’s claim is likely to interfere with other people’s rights and freedoms,

9.5.3.2. Claims that require disproportionate effort,

9.5.3.3. The requested information is a public information.

9.5.4. The right of the owner of personal data to file a complaint with the Board.

In the event that the data owner’s application is rejected in accordance with Article 14 of the LPPD, that the response to his request is insufficient or that the application is not answered within the period of time, the owner of personal data may file a complaint to the Board within thirty days from the date of STONE’s response and in any case within sixty days from the date.
 
 
 
10. PROTECTION OF PERSONAL DATA

10.1. STONE takes all technical and administrative measures to prevent unlawful access to personal data, illegal processing of personal data and to store personal data safely which are processed by STONE legally according to Article 12 of LPPD.

10.2. Ensuring the security of personal data

10.2.1. Technical and administrative measures taken to prevent illegal processing of personal data

In order to ensure the lawful processing of personal data, STONE takes technical and administrative measures based on technological facilities and application costs. The main measures taken are listed below:

10.2.1.1. The personal data processing activities carried out within STONE are supervised by established technical systems and legal methods.

10.2.1.2. Staff specialized in technical matters are employed.

STONE’s employees, dealers and authorized service employees are being informed about the LPPD and the processing of personal data in accordance with the Law.

10.2.1.2.1. All the activities that STONE carries out are analyzed in detail in all business units and as a result of this analysis, personal data processing activities are revealed in the commercial activities of the related business units.

10.2.1.2.2. STONE sets out the policies and priciples in writing to perform all data processing activities according to LPPD and informs all units about the policies and principles by warning the employee about the special conditions related to his own activity on data processing.

10.2.1.2.3. The contracts and documents governing the legal relationship between STONE and the employees, with the exception of STONE’s instructions and the Law, include records that place an obligation not to process, disclose, or use personal data, and raise employees ‘ awareness of this issue.

10.2.1.2.4. The sub-contractors are informed about the personal data protection Law and the necessary measures taken in accordance with this Law.

10.2.2. Technical and administrative measures taken to prevent unLawful access to personal data

In order to prevent imprudent or unauthorized disclosure, access, transfer or otherwise unLawful access to personal data, STONE takes technical and administrative measures based on the nature, technological facilities and cost of implementation of the data to be protected. The main technical and administrative measures taken are listed below:

10.2.2.1. Technical measures are taken in accordance with the developments in technology.

10.2.2.2. Access and authorization technical solutions are put into operation in accordance with the legal compliance requirements determined on the basis of the business unit.

10.2.2.3. Access powers are restricted and regularly reviewed. Access restrictions are imposed on former employees and accounts are closed.

10.2.2.4. Technical measures taken in terms of risk issues are re-evaluated and the necessary technological solution is produced.

10.2.2.5. Software and hardware including virus protection systems and firewalls are being installed.

10.2.2.6. Staff who are knowledgeable about technical issues are employed.

10.2.2.7. Employees, dealers and authorized services, especially the relevant users and all personnel who process personal data, are informed about the technical measures to be taken to prevent unlawful access to personal data.

10.2.2.8. Processing personal data on a business unit basis in accordance with legal compliance requirements, access and authorization processes are designed and implemented within the company.

10.2.2.9. Employees are informed that they may not disclose the personal data they have learned to anyone in violation of PPD regulations and may not use it except for processing purposes and that their obligations regarding the security and privacy of personal data will continue after the end of the business relationship and necessary commitments are taken from them.

10.2.2.10. Documents containing personal data in the Company are protected by encrypted systems. In this context, personal data is not stored in public areas and on the desktop. Files and folders containing personal data, etc. documents are not moved to the desktop or public folder, information on company computers is USB, etc., without STONE’s prior written consent. It cannot be transferred to another device or taken out of the company.

10.2.2.11. If there are security measures requested or to be requested additionally for the security of personal data under the PPD regulations, all employees are obliged to comply with the additional security measures and to ensure the continuity of these security measures.

10.2.2.12. Crisis and reputation management were discussed in order to be guarded against any personal data security breach, and in this context, information processes were designed to inform the Board and the relevant person.

10.2.3. Storage of personal data:

STONE takes the necessary technical and administrative measures to prevent the storage of personal data in secure environments and the destruction, loss or alteration of it for unLawful purposes, based on technological facilities and the cost of implementation. The main technical and administrative measures taken are listed below:

10.2.3.1. In order to secure the storage of personal data, systems suitable for technological developments are used. The necessary technological solutions are produced by re-evaluating the issues that pose risks.

10.2.3.2. Staff specialized in technical matters are employed.

10.2.3.3. In order to ensure the safe storage of personal data, backup programs are used in accordance with the Law.

10.2.3.4. Access to storage areas containing personal data is restricted and inappropriate access or access attempts are instantaneously communicated to those concerned.

10.2.3.5. In the event that STONE receives an outside service due to technical requirements regarding the storage of personal data, the contracts concluded with the related companies contains the security measures taken to protect the personal data which is transferred in accordance with the Law and contains the provisions that their all organization will comply with the measures.

10.2.4. Audit of measures taken to protect personal data

In accordance with Article 12 of the LPPD, STONE conducts or conducts the necessary audit’s in order to ensure that the provisions of the LPPD are implemented within it’s body. The results of this audit are reported to the relevant department within the scope of STONE’s internal functioning and necessary activities are carried out to improve the measures taken.

10.2.5. Measures to be taken in case of unauthorized disclosure of personal data

STONE shall notify the relevant personal data owner and Board as soon as possible if the personal data processed in accordance with Article 12 of the LPPD is obtained by others unlawfully. If required by the Board, this may be announced on the Board’s website or by any other method.

11. CLASSIFICATION OF PERSONAL DATA PROCESSED BY STONE

11.1. In accordance with STONE’s legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing requirements set out in Article 5 of the LPPD, in accordance with the general principles set out in the LPPD and all obligations set out in the LPPD, in particular the principles set out in Article 4 relating to the processing of personal data, are processed by means of informing the related persons in respect to article 10 of LPPD.  Article 11.2. of this policy also states which personal data processed in these classes is related to which data owners are regulated under this policy.
 
 

PERSONAL DATA CLASSIFICATION DESCRIPTION OF PERSONAL DATA CLASSIFICATION
Identity Data It is the data that is clear to belong to a specific or identifiable natural person; which is processed in part or in whole automatically or in a non-automatic manner as part of the data recording system; which contains information about the identity of the person; first and last name, T.R. ID number, date of birth, gender, social security number, tax id number.
Communication Data ID which belongs to a specific or identifiable natural person; in a way partially or completely automatic, or data recording system as part of a non-automatic way are processed in a phone number, home address, place of work, address, personal e-mail address, computer number, system user name, fax number, IP number, access the URL (web) information such as.
Personal Data ID which belongs to a specific or identifiable natural person; a partially or totally automatic way, as part of the data recording system or non-automatic in a way are processed; the personal rights of natural persons in the relationship working with STONE for providing the basic information for the formation of any personal data processed. (CV information, education information, salary and bonus information, promotion/warning information, start date, job position/s in the administrator’s name, job assignments, work hours, Performance information, discharge certificate, annual leave information).
Financial Data ID which belongs to a specific or identifiable natural person; a partially or totally automatic way, as part of the data recording system or non-automatic in a way are processed; personal data of the legal relationship established with the owner of STONE according to the type of the result is created indicating all kinds of financial information, documents and records in relation to processed personal data and banking details, credit card data (if any), running costs, salary information, Social Security information, credit card information, e-billing information
Audio and Visual Recordings It is a group of data (photography, camera recording) with audio and visual data belonging to the person.
Location Data ID which belongs to a specific or identifiable natural person; a partially or totally automatic way, as part of the data recording system or non-automatic in a way are processed; personal data within the framework of the business unit’s operations that are executed by the owner of the STONE, STONE products and services the employees of our institutions or the use of STONE tools during collaborative that detects the position where the information is located while using, GPS location, travel data etc.
Family Members’ and Relative’s Data The personal data owner’s family members (e.g. spouse, mother, father, child), family contact information, spouse and child status regarding products and services offered by STONE, or in order to protect the legal and other interests of STONE and the personal data owner, in the context of operations carried out by STONE business units, which are clearly owned by a certain or identifiable natural person.
Other Data Professional vehicle information, driver’s license class (in the case of vehicle allocation), business phone, quota usage information is connected to the knowledge of the employee, department (retail, wholesale, chain, e-commerce, etc.), *targeted sales information, such as *Emergency Information Form Data *Office input-output information * psychometric test data * Personality Inventory test information, * information, test data, physical space, physical space and the documentation in relation to personal data records received during the stay in *when the camera records * legal transaction data; * health data, customer transaction data.

 
 
11.2. The following table details the personal data owner classes and the type of personal data which are being processed by the people in these classes.
 
 

Working ID data: * first and last name, * T.R. ID number, * date of birth, * Social Security number;

Contact data: * mobile phone number, * home address, * personal email address, * computer number, * system userName, * IP number, * access URL (web);

Personal data: * curriculum vitae information, * education, * salary and bonus information * promotion/warning information * start date * job position/s, * work assignments * hours * Performance information * discharge certificate * annual leave information;

Finance: * bank information, * employee expenses, * Social Security data, * salary information, * workplace credit card data (if any));

Audio and visual recordings: * employee photo;

Location data: *GPS location, * travel data;

Family members and close Data : * family members, * contact information of relatives, * spouse and child status;

Other data: * health data * professional vehicle information * license class (in the case of vehicle allocation), * quota usage information business phone * Office input-output information * in physical space, physical space and the documentation in relation to personal data records received during the stay in * when the camera records * Emergency Information Form Data.

Previous Employees ID: * first and last name, * T.R. ID number, * date of birth, * Social Security number;

Contact: * home address, * personal email address;

Personnel: * curriculum vitae information, * education, * salary and bonus information * promotion/warning information * start date * job position/s, * work assignments * hours * Performance information * discharge certificate * annual leave information * document separation;

Finance: * bank information, * Social Security data, * salary information, * workplace credit card data (if any)

Audio and visual recordings: * employee photo.

 

Family Members Of Employees ID: * first name-last name.
Employee / Trainee Candidates ID data: * first and last name;

Contact data: * mobile phone number, * email address;

Personal data: * résumé information, * reference information;

Audiovisual recordings: * candidate photo (if available on resume));

Other data: *personal data relating to records and documents taken during your stay in the physical space at the entrance to the physical space, *camera recordings.

Partner / Subcontractor ID data: * first and last name, * T.R. identification number, * Tax Identification Number;

Contact data: * phone number, * work location address;

Personal data: *curriculum vitae information, *education, *salary and bonus information *promotion/warning information *Social Security data *start date *job position/s, *work assignments *hours *Performance information *discharge certificate *annual leave information;

Finance: * bank information, * salary information;

Other data: * health data, *customer transaction data, *approved supplier form data, * subcontractor employee data.

 

Dealer Customer ID: * first and last name, * T.R. identification number, * Tax Identification Number;

Contact: * phone number , * workplace address, * email address;

Family members and close Data : * family members, * contact information of relatives, * spouse and child status;

Other data: * legal action data.

Dealer Leads ID: * first and last name, * T.R. identification number, * Tax Identification Number.
Visiting ID: * first and last name, * T.R. ID number;

Contact: * mobile phone number;

Other data: * personal data relating to records and documents taken during your stay in the physical space at the entrance to the physical space, * camera recordings.>

Appendix.1 Update Table

Changes to this policy are situated in the table below.
 
 

DATE OF UPDATE SCOPE OF CHANGES