Get to Know Us

Personal Data Processing and Protection Policy

1. DEFINITIONS AND ABBREVIATIONS

Recipient Group: The category of natural or legal person to whom personal data is transferred by the data controller.

Inventory: Personal Data Processing Inventory.

Relevant Law: Law No. 5378 on Persons with Disabilities.

Relevant User: Persons who process personal data within the organisation of the data controller or in accordance with the authority and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

Destruction: Deletion, destruction or anonymisation of personal data.

OHSL: Occupational Health and Safety Law.

Law: Law No. 6698 on the Protection of Personal Data.

Recording Medium: Any medium that contains personal data that is fully or partially automated or processed by non-automated means, provided that it is part of any data recording system.

Personal Data Processing Inventory: It is the inventory that data controllers create and detail the personal data processing activities they carry out depending on their business processes by associating the purposes of processing personal data with the data category, the transferred recipient group and the data subject group.

Board: The Personal Data Protection Board.

Institution: The Personal Data Protection Authority.

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are personal data of special nature.

Periodic Destruction: It is the process of deletion, destruction or anonymisation to be carried out ex officio at recurring intervals specified in the personal data storage and destruction policy in the event that all of the conditions for processing personal data specified in the law disappear. In this Policy, it refers to May and November.

Policy Polmot Motor Mak. San. ve Tic. A.Ş. Personal Data Processing and Protection Policy

Registry: The Registry of Data Controllers kept by the Personal Data Protection Authority.

Data Recording System: It is the recording system where personal data is structured and processed according to certain criteria.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Polmot Motor Polmot Motor Mak. San. and Tic. A.Ş. (Data Controller)

Company Polmot Motor Mak. San. and Tic. A.Ş. (Data Controller)

2. PURPOSE

Polmot Motor Mak. San. ve Tic. A.Ş. Personal Data Processing and Protection Policy has been prepared in order to determine the procedures and principles regarding the business and transactions regarding the processing and protection activities carried out by Polmot Motor.

Polmot Motor has prioritised the processing of personal data belonging to company employees, employee candidates, service/product providers, customers, visitors and other third parties in accordance with the Constitution of the Republic of Turkey, international conventions, the Law No. 6698 on the Protection of Personal Data ("Law") and other relevant legislation and ensuring that the relevant persons use their rights effectively.

Business and transactions regarding the processing and protection of personal data are carried out in accordance with the Policy prepared by Polmot Motor in this direction.

3. SCOPE

Polmot Motor Mak. San. ve Tic. A.Ş. Personal Data Processing and Protection Policy (hereinafter referred to as the "Policy"); It covers the departments and employees of Polmot Motor where personal data are processed, business partners with whom Polmot Motor shares data, legal/real persons from whom it purchases business and services, third parties and official institutions and organisations and legal/real persons authorised by law.

This Policy; It will cover the protection activities regarding the processing activities that Polmot Motor will apply on personal data and will be applied as a result of all kinds of processing.

In case the relevant legislation changes or is updated, Polmot Motor will update its policy in accordance with the relevant legislation and will be published in this section of the website.

In the event that there is a legal obstacle in the implementation of this Policy by Polmot Motor, incompatibility arises and / or the need to update it in the light of new regulations, Polmot Motor will be able to redetermine, change and update the Policy and its implementation.

4. PROCESSING OF PERSONAL DATA

A- PRINCIPLES COMPLIED WITH IN THE PROCESSING OF PERSONAL DATA

Our company complies with the following universal principles and principles in the protection of Personal Data:

Processing in accordance with the law and honesty rules, in a fair and transparent manner.
Being accurate and up-to-date when necessary.
Processing for specific, explicit and legitimate purposes.
Being relevant, limited and proportionate to the purpose for which they are processed.
Being kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

 


B- CONDITIONS FOR PROCESSING PERSONAL DATA

Explicit Consent of the Personal Data Owner

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the personal data subject must be related to a specific subject, based on information and free will.

In the presence of the following personal data processing conditions, personal data may be processed without the explicit consent of the data subject.

Explicitly Stipulated by Laws

If the personal data of the data subject is explicitly stipulated in the law, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data, this data processing condition may be mentioned.

Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility

The personal data of the data subject may be processed and/or transferred if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognised as valid, in order to protect the life or physical integrity of himself/herself or another person.

Direct Relevance to the Establishment or Performance of the Contract

Provided that it is directly related to the establishment or performance of a contract to which the data subject is a party, this condition may be deemed to be fulfilled if it is necessary to process personal data.

Fulfilment of the Company's Legal Obligation

Personal data of the data subject may be processed if processing is mandatory for our Company to fulfil its legal obligations.

In case the data owner has made his/her personal data public, the relevant personal data may be processed limited to the purpose of publicisation.

Data Processing is Mandatory for the Establishment or Protection of a Right

Personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise or protection of a right.

Data Processing is Mandatory for the Legitimate Interest of our Company

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our Company.

C- PROCESSING CONDITIONS OF SPECIAL CATEGORIES OF PERSONAL DATA

Sensitive personal data are processed by our Company in accordance with the principles set out in this Policy and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

Sensitive personal data other than health and sexual life may be processed without seeking the explicit consent of the data owner if it is expressly stipulated in the laws, in other words, if there is a clear provision regarding the processing of personal data in the law to which the relevant activity is subject. Otherwise, the explicit consent of the data subject shall be obtained in order to process such special categories of personal data.

The information and documents to be obtained within this scope are processed within the scope of consent.

Sensitive personal data relating to health and sexual life may be processed without seeking explicit consent by persons or authorised institutions and organisations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. Otherwise, the explicit consent of the data subject shall be obtained for the processing of such special categories of personal data.

Health information to be received within this scope may also be processed without consent within the scope of OHSK and compulsory medical practices, limited to the cases listed above.

D- CLARIFICATION OF THE PERSONAL DATA SUBJECT

Polmot Motor enlightens personal data owners in accordance with Article 10 of the Law and secondary legislation. In this context, Polmot Motor informs the relevant persons about the purposes for which personal data are processed by Polmot Motor as the data controller, for which purposes they are shared with whom, for which purposes they are shared, by which methods they are collected and the legal reason and the rights of the data subjects within the scope of the processing of their personal data.

As a matter of fact, within the scope of international legislation, the period of storage of data and the criteria to be applied in determining the retention period in cases where it is not possible to specify the period are specified, whether the processing of personal data is mandatory and the consequences that will occur if the mandatory processing activities are not carried out are shown.

In the presentation of the clarification text regarding the camera recording, which is necessary to ensure physical security and supervision, accessibility standards are complied with in accordance with the Law on Persons with Disabilities.

 


E- PROCESSED PERSONAL DATA GROUPS

Data owners who are within the scope of Polmot Motor KVK Policy and whose personal data are processed by Polmot Motor are grouped below.

Polmot Motor Employee Candidates
Persons who have not established a service contract with Polmot Motor, but who are taken under Polmot Motor evaluation to be established.
Polmot Motor Business Partners, Authorities, Employees
Natural person officials, shareholders, employees, businesses and companies with which Polmot Motor has commercial relations.
Polmot Motor Visitors
Natural persons who visit Polmot Motor premises or websites operated by Polmot Motor.
Other Natural Persons

Polmot Motor Employees All natural persons not covered by the Personal Data Protection and Processing Policy.

F- PURPOSE OF PROCESSING PERSONAL DATA

Determination, planning and implementation of Polmot Motor's commercial policies in the short / medium / long term:

i. Execution of Strategic Planning Activities

ii. Management of relations with business partners, customers and suppliers

Design and Execution of Polmot Motor's Human Resources Activities:

Execution of employee recruitment processes
Planning and execution of intern and student recruitment, placement and operation processes
Planning of human resources processes
Fulfilment of the obligations arising from the employment contract and legislation for the Company employees
Monitoring and supervision of employees' work activities
Planning and execution of fringe benefits and benefits for employees
Planning and execution of employee exit procedures
Planning and monitoring the performance evaluation processes of employees
Planning and execution of in-house training activities
Management of relations with business partners and suppliers
Wage management
Planning and execution of in-company orientation and social activities
Fulfilment of information and document obligation in judicial and administrative processes

Carrying out the necessary work by the Business Units within the Company in order to fulfil the commercial activities carried out by Polmot Motor in accordance with the Legislation and Company Policies and carrying out the activities in this direction:

Follow-up of finance and accounting affairs
Conducting investor relations
Planning and execution of corporate communication activities
Planning and execution of corporate sustainability activities
Planning and execution of effectiveness/efficiency and relevance analyses of business activities
Event management
Establishment and management of information technology infrastructure
Planning, auditing and execution of information security processes

Other processing purposes:

Ensuring the commercial, technical and legal security of the relevant persons with whom Polmot Motor has a business relationship and liaising with these real / legal persons;
Protecting the commercial reputation and trust of Polmot Motor;
Compliance with the information storage, reporting and information obligations stipulated by official institutions within the scope of the relevant legislation, and fulfilment of the legal obligations we are subject to regarding the use of these services;
Examining, evaluating and responding to requests from public authorities or relevant persons;
Ensuring the security and supervision of the physical spaces of the Company through camera recording and other systems;
Fulfilment of the obligation of proof as evidence in legal disputes that may arise in the future;
It is processed within the scope of the conditions and purposes of processing personal data specified in Articles 5 and 6 of the KVKK.

G- DURATION OF PROCESSING OF PERSONAL DATA PROCESS

STORAGE TIME

DISPOSAL TIME

Execution of Commercial Affairs

10 years

At the first periodic destruction period following the end of the storage period

Preparation and Execution of Contracts

10 years following the termination of the effect of the contract on business and transactions

At the first periodic destruction period following the end of the storage period

 

Execution of communication activities with the Company

5 years after the end of the activity

At the first periodic destruction period following the end of the storage period

Execution of Human Resources Processes

10 years following the termination of the labour contract and legal process

At the first periodic destruction period following the end of the storage period

Log Recording Tracking Systems

2 years

At the first periodic destruction period following the end of the storage period

Execution of Hardware and Software Access Processes

2 years

At the first periodic destruction period following the end of the storage period

Visitor Registration

6 months

At the first periodic destruction period following the end of the storage period

Camera Recordings

6 months

At the first periodic destruction period following the end of the storage period

Employee Candidate Job Application Form / CV

Immediately if the job description applied for no longer exists, otherwise 6 months

At the first periodic destruction period following the end of the storage period

Application Form to the Data Controller

10 years following the end of the application and, if any, the file process transferred to the Institution

At the first periodic destruction period following the end of the storage period

Corporate Memory

99 years

At the first periodic destruction period following the end of the storage period

In addition to the above, personal data may be transferred to foreign countries declared by the Board to have adequate protection ("Foreign Country with Adequate Protection") in the presence of any of the above conditions. In the absence of adequate protection, in accordance with the data transfer conditions stipulated in the legislation, personal data may be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the Board has authorisation ("Foreign Country Where the Data Controller Undertakes Adequate Protection").

B- RECIPIENT GROUP AND PURPOSE OF TRANSFER

In the personal data transfers to be carried out by Polmot Motor, the personal data transfer conditions regulated in Articles 8 and 9 of the KVK Law are complied with.

i. Domestic Transfer of Personal Data

In accordance with Article 8 of the KVK Law, Polmot Motor acts in accordance with the data processing conditions in data transfer activities to be carried out domestically.

ii. Transfer of Personal Data Abroad

 


Pursuant to Article 9 of the KVK Law, personal data can be transferred abroad by Polmot Motor in accordance with the personal data processing conditions and if the country of transfer is one of the countries with adequate protection declared by the KVK Board or if there is no adequate protection in the relevant foreign country, the data controllers in Turkey and in the relevant foreign country undertake an adequate protection in writing and with the permission of the KVK Board.

iii. Groups of Persons to whom Personal Data is Transferred by Polmot Motor

 


In accordance with Articles 8 and 9 of the KVK Law, Polmot Motor may transfer the personal data of data owners within the scope of Polmot Motor KVK Policy to the following groups of persons for the specified purposes:

To Polmot Motor Business Partners, limited to the purpose of establishing and maintaining the business partnership,
Polmot Motor Suppliers for the limited purpose of fulfilling Polmot Motor's business activities,
Authorised public institutions and organisations (relevant municipalities, etc.) and authorised private law persons (relevant lift companies, etc.), limited to the purpose requested within the legal authority of the relevant persons,
In accordance with the conditions of personal data transfer to third parties.

 


6. RIGHTS OF THE PERSONAL DATA OWNER

A- RIGHTS

Personal data subjects have the following rights

 


To learn whether personal data is processed or not,
Request information if personal data has been processed,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
To know the third parties to whom personal data are transferred domestically or abroad,
To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
To object to the emergence of a result to the detriment of the person himself/herself by analysing the processed data exclusively through automated systems,
In case of damage due to unlawful processing of personal data, they have the right to demand compensation for the damage.
In cases where the application is rejected, the response is found insufficient or the application is not responded in due time; the data subject may file a complaint to the Personal Data Protection Board within thirty days from the date of learning the response of the data controller and in any case within sixty days from the date of application. Pursuant to Article 13 of the Law, a complaint cannot be filed without exhausting the remedy.
Within the scope of international legislation, in addition to the above-mentioned rights of the person concerned; there is also the right to request the restriction of the processing of personal data and to withdraw consent to the processing or transfer of personal data.

 


B- HOW TO EXERCISE THE RIGHTS

Personal data owners can apply to the Data Controller by using the Application Form (see Application Declaration) on the website www.polmot.com.tr, in person with a written document, by sending a notice from a notary public, with an electronically signed document, with a mobile signature or via e-mail previously registered in the system.

Application Declaration: Application Method


Application Address

Information to be specified in the application submission

In Person Application [The applicant comes in person and applies with a document certifying his/her identity]

Büyükkayacık OSB Mah. 103. Cad. No:15 Selçuklu KONYA

"Information Request within the scope of the Law on the Protection of Personal Data" will be written on the envelope.

NApplication via Notary Public

Büyükkayacık OSB Mah. 103. Cad. No:15 Selçuklu KONYA

"Information Request within the scope of the Law on the Protection of Personal Data" will be written on the notification envelope.

Application with Secure Electronic Signature [Application via Registered Electronic Mail (KEP) by signing with secure electronic signature]

kalite@polmot.com.tr

"Personal Data Protection Law Information Request" will be written in the subject section of the e-mail.

Application by Mobile Signature or E-mail [By using the e-mail address previously notified to the data controller by the data subject and registered in the system of the data controller]

kalite@polmot.com.tr

"Personal Data Protection Law Information Request" will be written in the subject section of the e-mail.

 

In cases where the application is rejected, the response is found insufficient or the application is not responded in due time; the data subject may file a complaint to the Personal Data Protection Board within thirty days from the date of learning the response of the data controller and in any case within sixty days from the date of application. Pursuant to Article 13 of the Law, a complaint cannot be filed without exhausting the remedy.

The data provided to the Company with the application form are processed and protected in accordance with the procedures and principles set out in this Policy.

C- ANSWERING THE REQUEST BY THE DATA CONTROLLER

Our Company takes the necessary administrative and technical measures to finalise the applications to be made by the personal data owner in accordance with the Law and secondary legislation.

In the event that the personal data owner duly submits his/her request regarding the above-mentioned rights to our Company, our Company will finalise the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

7. SECURITY OF PERSONAL DATA

A- TECHNICAL MEASURES

The technical measures taken by Polmot Motor regarding the personal data it processes are listed below:

Necessary measures are taken by revealing the risks, threats, vulnerabilities and vulnerabilities, if any, for the information systems of the company through different tests.
Risks and threats that will affect the continuity of information systems are continuously monitored as a result of real-time analyses conducted through information security incident management.
Access to information systems and authorisation of users are carried out through security policies via access and authorisation matrix and corporate active directory.
Necessary measures are taken for the physical security of Polmot Motor's information systems equipment, software and data.
In order to ensure the security of information systems against environmental threats, hardware (camera recording, alarm system and lock system, etc.) and software (firewalls, attack prevention systems, network access control, systems that prevent malware, etc.) measures are taken.
Risks to prevent unlawful processing of personal data are identified, technical measures are taken in accordance with these risks and technical controls are carried out for the measures taken.
Access procedures are established within Polmot Motor and reporting and analyses are carried out regarding access to personal data.
Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control.
The Institution takes necessary measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.
In the event that personal data is unlawfully obtained by others, a suitable system and infrastructure has been established by Polmot Motor to notify the relevant person and the Board.
Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up to date.
Strong passwords are used in electronic environments where personal data are processed.
Secure logging systems are used in electronic media where personal data is processed.
Data backup programmes are used to ensure that personal data are stored securely.
Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
A separate policy has been determined for the security of special categories of personal data.
Trainings on special categories of personal data security have been provided for employees involved in special categories of personal data processing processes, confidentiality agreements have been made, and the authorisations of users who are authorised to access data have been defined.
Electronic media where sensitive personal data are processed, stored and/or accessed are stored using cryptographic methods, cryptographic keys are kept in secure environments, security updates of the environments are constantly monitored, necessary security tests are regularly carried out / conducted, and test results are recorded,
Adequate security measures are taken for the physical environments where sensitive personal data are processed, stored and/or accessed, and unauthorised entry and exit are prevented by ensuring physical security.
If sensitive personal data is required to be transferred via e-mail, it is transferred encrypted with a corporate e-mail address or using a KEP account. If it needs to be transferred via media such as portable memory, CD, DVD, etc., it is encrypted with cryptographic methods and the cryptographic key is kept in different media. If the data is transferred between servers in different physical environments, the data is transferred between servers or by sFTP method. If it is necessary to transfer via paper media, necessary precautions are taken against risks such as theft, loss or unauthorised viewing of the document and the document is sent in "confidential" format.

B- ADMINISTRATIVE MEASURES

The administrative measures taken by Polmot Motor regarding the personal data it processes are listed below:

In order to improve the quality of employees, trainings are provided on preventing unlawful processing and access to personal data, ensuring the protection of personal data, communication techniques, technical knowledge skills and legislation.
Confidentiality agreements are signed by employees regarding the activities carried out by Polmot Motor.
A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
In case of co-operation with third parties for the storage of personal data, the contracts made with the companies to which personal data are transferred include provisions that set out the obligations and responsibilities of the persons to whom personal data are transferred to take the necessary security measures for the protection and safe storage of the transferred personal data. In general, our principle is that the businesses to which the data is transferred also have the necessary certification and compliance processes.
The security of the places where personal data are physically stored is ensured and access authorisation is limited.
Personal data processing inventory has been prepared.
In-house periodic and random audits are carried out.
Necessary equipment, especially for physical destruction, is available in the workplace.
Measures are taken in accordance with the accessibility standards in accordance with the Law on Persons with Disabilities in the presentation of the clarification text regarding the camera recording required to ensure physical security and supervision.

8. DESTRUCTION OF PERSONAL DATA

 


A- REASONS REQUIRING DESTRUCTION

Personal data;

Amendment or abolition of the relevant legislation provisions that constitute the basis for processing
Disappearance of the purpose requiring processing or storage,
The processing of personal data is contrary to the law or good faith or subsequently becomes contrary to the law or good faith,
Pursuant to Article 11 of the Law, Polmot Motor accepts the application made by the person concerned regarding the deletion and destruction of his personal data within the framework of his rights,
In cases where Polmot Motor rejects the application made by the person concerned with the request for deletion, destruction or anonymisation of his personal data, finds the answer insufficient or does not respond within the period stipulated in the Law; In case he makes a complaint to the Board and this request is approved by the Board (Institution or Board instruction)
The maximum period required for the retention of personal data has expired and there is no condition that justifies the retention of personal data for a longer period of time
The contract between the parties has never been established, the contract is invalid, the contract is automatically terminated, the contract is terminated or the contract is revoked,
In cases where the processing of personal data is carried out only on the basis of explicit consent, the person concerned may withdraw his/her explicit consent,

in such cases, it shall be deleted, destroyed or ex officio deleted, destroyed or anonymised by Polmot Motor upon the request of the person concerned.

B- TYPES OF DESTRUCTION OF PERSONAL DATA

Destruction of personal data can be achieved in three different ways. These are deletion, destruction or anonymisation of the data.

i. Deletion of Personal Data

Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users. Although it has been processed in accordance with the provisions of the relevant law, Polmot Motor deletes or destroys personal data based on its own decision or upon the request of the personal data owner in the event that the reasons requiring its processing disappear and the situations regulated in the Regulation arise.

ii. Destruction of Personal Data

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. Destruction will be carried out in cases where Polmot Motor processes data in physical recording media. Polmot Motor is obliged to make these data impossible to be recovered again. Polmot Motor shall take all necessary technical and administrative measures.

iii. Anonymisation of Personal Data

Anonymisation is the process of making personal data impossible to be associated with an identified or identifiable natural person, even if such data is matched with other data, in cases where Polmot Motor processes personal data completely or automatically. During the anonymisation of data, Polmot Motor may use methods such as encryption with one-way functions. Polmot Motor will take all necessary technical and administrative measures regarding the anonymisation of personal data.

9. PUBLICATION/STORAGE OF THE POLICY, EFFECTIVE DATE AND UPDATES TO BE MADE IN THE POLICY

The Policy is published in two different media, wet signed (printed paper) and electronic media, and disclosed to the public on the website. The printed paper copy is kept in the file at the company.

The Policy is deemed to have entered into force upon its publication on the company's website. If it is decided to abolish the Policy, the old wet signed copies of the Policy shall be cancelled and signed by the person(s) authorised to sign by the company (by stamping the cancellation stamp or writing cancellation) and kept by the company for at least 5 years.

The Policy may be updated following the amendment to be made in the relevant legislation or if deemed necessary.