Akça | Volvo

Akça

AKÇA MAKİNA OTOMOTİV SAN. VE TİC. A.Ş.

PERSONAL DATA PROCESSING AND PROTECTION POLICY

ENTRANCE

Personal Data Protection Law No. 6698 came into force on April 7, 2016 and includes regulations regarding the processing of all kinds of information regarding “identified or identifiable natural persons”. This Personal Data Protection and Processing Policy AKÇA MAKİNA OTOMOTİV SAN. VE TİC. A.Ş. It contains statements and explanations regarding the processing of personal data within the scope of the Law. From now on AKÇA MAKİNA OTOMOTİV SAN. VE TİC. A.Ş. It will be referred to as “AKÇA”.

AIM

In line with the aim of creating unity within the AKÇA company; It creates the necessary system to raise awareness about the protection of personal data within the company and establishes the necessary order to ensure compliance of its internal operations with the legislation on the protection and processing of personal data. Akça Makina Otomotiv San. ve Tic. A.Ş. PDP Policy aims to provide guidance in terms of the implementation of the regulations set forth by the PDP Law and relevant legislation.

With AKÇA’s PDP Policy; The basic principles regarding the compliance of the activities carried out by AKÇA with the regulations in the Personal Data Protection Law No. 6698 (“PDP Law”) are determined and in this context, the things that AKÇA must fulfill are set forth.

SCOPE AND AMENDMENT OF THE POLICY

AKÇA establishes systems to carry out all activities necessary for compliance with the legislation on the processing and protection of personal data. AKÇA Personal Data Processing and Protection Policy regulates the principles adopted by AKÇA in the protection and processing of personal data. The data obtained from you with your consent or in accordance with other laws listed in the Law will be used to improve the quality of the services we offer and to improve the services offered to you and our quality policy. Again, some of the data we have is depersonalized and anonymized. AKÇA Personal Data Protection and Processing Policy aims to protect the automatically obtained data of our customers, prospective customers, employees, customers and employees of companies working in solution partnership with us, or other persons, and includes regulations regarding these.

AKÇA reserves the right to make changes to the AKÇA PDP Policy in parallel with legal regulations – provided that it complies with the law and better protects personal data.

POLICY PRINCIPLES

BASIC PRINCIPLES ADOPTED BY AKÇA

AKÇA adopts the basic principles listed below to ensure and maintain compliance with the personal data protection legislation.

Processing Personal Data in Compliance with Law and Integrity Rules

AKÇA carries out its personal data processing activities in accordance with the law and the rule of honesty, in accordance with the personal data protection legislation, especially the Constitution of the Republic of Turkey.

Ensuring the Accuracy and Up-to-Date of Personal Data Processed

AKÇA ensures the accuracy and up-to-dateness of the personal data it processes, takes the necessary administrative and technical measures within this framework and carries out the necessary processes. In this context, AKÇA attaches importance to correcting the personal data of personal data owners if they are inaccurate, confirming their accuracy and updating them if they are forwarded to them.

Processing Personal Data in a Purpose-Related, Limited and Measured Way

AKÇA processes personal data in connection with the data processing conditions and as necessary to provide these services. It does not process, use or allow data to be used for purposes other than business purposes. In this context, AKÇA takes into account the fundamental rights of data owners and their own legitimate interests.

Processing Personal Data for Specific, Clear and Legitimate Purposes

AKÇA processes data limited to the service it provides and the purposes for which it receives consent from individuals during the service.

Keeping Personal Data for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed

AKÇA retains personal data for a limited period of time stipulated in the relevant legislation or required by the purpose of data processing. In this regard, AKÇA complies with the time limit arising from Article 138 of the Turkish Penal Code and Articles 4 and 7 of the PDP Law. AKÇA deletes, destroys or anonymizes personal data when the period stipulated in the legislation expires or if the reasons requiring the processing of personal data disappear.

POLICY APPLICATION AREA

This Personal Data Protection and Processing Policy contains Akça’s statements and explanations regarding the processing of personal data of natural persons in the categories listed below by AKÇA within the scope of the Law. In this context, the scope of application of the Policy is the processing processes of personal data belonging to the following data owners:

  • Real Customers,
  • Corporate Customer Shareholders, Officers, Employees,
  • Potential Customers,
  • Company Officials,
  • Shareholders,
  • Former Employees / Retirees,
  • Business Partner Shareholders, Officers, Employees,
  • Supplier Shareholders, Officers, Employees,
  • Employee and Intern Candidates,
  • Business Partner Candidates,
  • Supplier Candidates,
  • Visitors,
  • Press,
  • Third Parties.

This Policy may be updated from time to time to comply with changing conditions and legislation.

PERFORMING PERSONAL DATA PROCESSING ACTIVITIES IN ACCORDANCE WITH DATA PROCESSING TERMS

Processing of Personal Data in Accordance with the Principles Provided in the Legislation

While AKÇA carries out its personal data processing activities, it complies with the data processing conditions specified in Articles 5 and 6 of the PDP Law and the Regulation on the Processing of Personal Health Data, provided that it complies with the basic principles. In this regard, AKÇA determines whether the data processing conditions in question exist in terms of the personal data processing activities carried out; If the conditions are not met, it does not process personal data. AKÇA establishes the necessary mechanisms in its internal systems for the lawful processing of personal data, creates in-house awareness regarding the protection of personal data, and carries out the necessary audit mechanisms. Within the scope of processing personal data, AKÇA complies with the rules set forth in the Constitution of the Republic of Turkey, the Turkish Penal Code, the PDP Law and other relevant legislation and the AKÇA PDP Policy.

Conditions for Processing Personal Data

Except for the express consent of the personal data owner, the basis for personal data processing may be only one of the conditions specified below, or more than one condition may be the basis for the same personal data processing activity. If the data processed is personal data of special nature, the conditions set out in section 4.3.3 of this Policy, “Processing of Personal Data of a Special Category”, will apply.

Having Explicit Consent of the Personal Data Owner

One of the conditions for processing personal data is the explicit consent of the data owner. Explicit consent of the personal data owner is expressed on a specific subject, based on information and free will. If the following personal data processing conditions are met, personal data can be processed without the need for the data owner’s explicit consent.

Clearly Provided in Laws

If the personal data of the data owner is clearly foreseen by the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, it can be said that this data processing condition exists.

Failure to Obtain Explicit Consent of the Person Relevant Due to Actual Impossibility

If it is necessary to process the personal data of a person who is unable to express his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself or another person, the personal data of the data owner may be processed.

Directly Related to the Establishment or Performance of the Contract

This condition may be deemed to be fulfilled if the processing of personal data is necessary, provided that it is directly related to the establishment or performance of a contract to which the data owner is a party.

Fulfillment of the Company’s Legal Obligations

Personal data may be processed without obtaining separate consent in order to clearly state the processing in the relevant legislation or to fulfill a legal obligation determined by the legislation. The type and scope of data processing must be necessary for the legally permissible data processing activity and must comply with the relevant legal provisions.

Personal Data Owner’s Publicization of Personal Data

If the data owner has made his/her personal data public, the relevant personal data may be processed on a limited basis for the purpose of publicization.

Data Processing Is Necessary for the Establishment or Protection of a Right

If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.

Data Processing Is Necessary for Our Company’s Legitimate Interests

Personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company, provided that the fundamental rights and freedoms of the personal data owner are not harmed.

Processing of Special Personal Data

Special categories of personal data are processed by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including the methods determined by the Board, and within the conditions required by the legislation.

Accordingly, special personal data are not processed without the explicit consent of the person concerned. However, personal data other than health and sexual life, which are special categories of data, may be processed without the explicit consent of the relevant person in cases stipulated by law. Personal data regarding health and sexual life can only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, without the express consent of the person concerned.

PERFORMING PERSONAL DATA TRANSFER IN ACCORDANCE WITH DATA TRANSFER TERMS

Transfer of Personal Data

AKÇA may transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the legal personal data processing purposes. In personal data transfers to be carried out by the Company (actively sharing personal data with third parties or making personal data accessible to third parties), the personal data transfer conditions set out in Articles 8 and 9 of the PDP Law are complied with.

Even if there is no explicit consent of the personal data owner, if one or more of the conditions stated below are present, personal data may be transferred to third parties by our Company by taking necessary care and taking all necessary security measures, including the methods prescribed by the Board.

  • Relevant activities regarding the transfer of personal data are clearly foreseen by law,
  • The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,
  • Transfer of personal data is mandatory for our Company to fulfill its legal obligations,
  • Transfer of personal data by our Company in a limited way for the purpose of publicization, provided that it has been made public by the data owner,
  • Transfer of personal data by the Company is mandatory for the establishment, exercise or protection of the rights of the Company, the data owner or third parties,
  • It is mandatory to transfer personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner,
  • It is necessary for the person who is unable to express his consent due to actual impossibility or whose consent is not given legal validity, to protect his own life or physical integrity, or that of someone else.

In addition to the above, personal data may be transferred to foreign countries declared by the Board to have adequate protection, if any of the above conditions are met. In case there is not sufficient protection, it may be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country have committed in writing to adequate protection and have the permission of the Board, in line with the data transfer conditions stipulated in the legislation.

Transfer of Special Personal Data

Special categories of personal data are transferred by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical measures, including the methods determined by the Board, and within the conditions required by the legislation.

Accordingly, special personal data is not transferred without the explicit consent of the person concerned. However, personal data other than health and sexual life, which are special categories of data, can be transferred without the explicit consent of the relevant person in cases stipulated by law. Personal data regarding health and sexual life can only be transferred for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, without the express consent of the person concerned.

ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

Ensuring the Security of Personal Data

In accordance with Article 12 of the Law, AKÇA takes the necessary measures, depending on the nature of the data to be protected, to prevent unlawful disclosure, access, transfer of personal data or security deficiencies that may occur in other ways. In this context, our Company takes administrative and technical measures to ensure the necessary level of security in accordance with the guidelines published by the Personal Data Protection Board, carries out audits within the company or has them carried out, and takes the measures stipulated in the Personal Data Protection Law in case of illegal disclosure of personal data.

Protection of Special Personal Data

The law attaches special importance to certain personal data due to the risk of causing victimization or discrimination when processed unlawfully. Data of this special nature; Data regarding race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. AKÇA acts with care in the protection of special personal data, which are determined as “special nature” by the Law and processed in accordance with the law. In this context, the technical and administrative measures taken by AKÇA to protect personal data are carefully implemented in terms of special personal data and the necessary inspections are provided within the company.

Administrative Measures to be Taken by AKÇA to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access to Personal Data

  • Training is provided on improving the qualifications and technical knowledge/skills of employees, preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring the preservation of personal data, communication techniques and relevant legislation.
  • Confidentiality agreement provisions are included in the employment contracts of employees.
  • The necessary and sufficient legal written warning procedure for employees who do not comply with security policies and procedures is made functional.
  • The obligation to inform the relevant persons is fulfilled.
  • Periodic and random audits are carried out within the company and information security training is provided to employees.
  • In addition to the administrative measures taken for personal data, employees involved in the processing of special personal data are given training on data security issues, security measures are taken for the environments where these data are processed and stored, unauthorized entries and exits are prevented, and if it is necessary to transfer them on paper, the documents are in the format of “confidential documents” is sent.
  • Before starting to process personal data, the institution fulfills its obligation to inform the relevant persons and provides information security training to employees.

Technical Measures to be Taken by AKÇA to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access to Personal Data

The company’s security vulnerabilities are monitored and appropriate security patches are installed, information systems are kept up to date, strong passwords are used in electronic environments where personal data is processed, and backup programs are used to ensure safe storage of personal data.

Raising Awareness and Conducting Audit Activities regarding the Protection of Personal Data in AKÇA

AKÇA ensures that necessary training is organized for business units in order to raise awareness regarding the processing of personal data in accordance with the law, preventing illegal access to personal data and ensuring the protection of personal data.

AKÇA carries out the necessary internal and external audits regarding the protection of personal data. The compliance, functioning and effectiveness of the technical measures, administrative measures and practices taken by AKÇA within the scope of protecting and ensuring the security of personal data with the relevant legislation, policies, procedures and instructions are audited by the Company Internal Audit Units. The results of the audit activities carried out will be reported to the relevant managers. It is the primary responsibility of process owners to regularly monitor the actions planned regarding the audit results. AKÇA Internal Audit Unit will also follow up, verify tests and audit the actions within the scope of this report. Without being limited to the audit results, the measures taken regarding the protection of data will be developed and improved.

Precautions to be Taken in Case of Illegal Disclosure of Personal Data

In case the personal data it processes are obtained by unauthorized persons in violation of the law, AKÇA will immediately notify the PDP Board and the relevant data owners about the situation. The internal structure required to fulfill this obligation will be established within AKÇA.

OBLIGATIONS RELATED TO PERSONAL DATA PROCESSING ACTIVITIES

AKÇA will comply with the obligations stipulated by the PDP Law for data controllers. In this context, the main issues that the company is obliged to comply with are listed below:

Registration and Notification Obligation to the Data Controllers Registry

AKÇA has been registered in the Data Controllers Registry in accordance with Article 16 of the PDP Law and the procedures and principles of the Regulation on Data Controllers Registry.

Obligation to Inform the Data Owner

AKÇA carries out the necessary processes to ensure that data owners are informed during the acquisition of personal data, in accordance with Article 10 of the PDP Law and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation. The information that must be provided to data owners within the scope of the disclosure obligation is listed below:

  • Identity of the data controller and his representative, if any,
  • For what purpose personal data will be processed,
  • To whom and for what purpose the processed personal data can be transferred,
  • Method and legal reason for collecting personal data.

Obligation to Ensure the Security of Personal Data

AKÇA, in accordance with Article 12 of the Personal Data Protection Law, is aware of the importance of ensuring the security of personal data and observing the fundamental rights and freedoms of data owners;

  • To prevent unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • It takes all necessary technical and administrative measures to ensure the appropriate level of security to ensure the protection of personal data.

AKÇA is also obliged to carry out the necessary inspections or have them carried out within the scope of the operation of mechanisms to ensure data security.

Obligation to Fulfill the Decisions Made by the PDP Board

AKÇA acts in accordance with the decisions made by the PDP Board, which operates to ensure that personal data is processed in accordance with fundamental rights and freedoms and is the executive body of the PDP Institution.

Obligation to Respond to Data Owner Applications

AKÇA takes the necessary administrative and technical measures to finalize the applications made by the personal data owner in accordance with the Law and secondary legislation. Pursuant to Article 13 of the PDP Law, as the Company data controller, if the personal data owner submits his/her request regarding the rights stated in section 7.1. (“Rights of the Personal Data Owner”) to our Company in accordance with the procedure, as soon as possible and within thirty days at the latest, depending on the nature of the request. It will be finalized within 30) days. Data owners must make their requests regarding their personal data in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

Obligation to Transfer and Obtain Personal Data in Compliance with the Law

In accordance with Article 4 of the PDP Law, AKÇA will process personal data in accordance with the law and the rule of honesty. In this context, activities of obtaining and transferring personal data will be carried out in accordance with the law.

Obligation to Act in Compliance with Regulations Regarding the Storage of Personal Data

AKÇA, in accordance with Article 7 of the PDP Law; It will establish the necessary internal systems for the deletion, anonymization or destruction of personal data whose reason for processing is no longer valid even though it has been processed in accordance with the law.

CATEGORIZATION AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY AKÇA

Before AKÇA, the relevant persons are informed in accordance with Article 10 of the Law and the relevant legislation, in line with the personal data processing purposes, based on and limited to at least one of the personal data processing conditions specified in the Law, primarily based on the principles specified in the Law regarding the processing of personal data. Personal data is processed in accordance with the general principles specified in the Law.

STORAGE AND DESTRUCTION OF PERSONAL DATA

The Company retains personal data for the period necessary for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legal legislation governing the relevant activity. In this context, the Company first determines whether a period of time is stipulated in the relevant legislation for the storage of personal data, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the data owner’s application and with the specified destruction methods (deletion and/or destruction and/or anonymization).

RIGHTS OF DATA SUBJECTS AND THE USE OF THESE RIGHTS

Rights of Personal Data Owners

In accordance with Article 11 of the PDP Law, the rights of personal data owners;

  • To learn whether personal data is processed or not,
  • To request information regarding personal data if they have been processed,
  • To learn the purpose of processing personal data and whether they are used for their intended purpose,
  • To know the third parties to whom personal data is transferred domestically or abroad,
  • To request correction of personal data if it has been processed incompletely or incorrectly, and to request that the action taken in this context be notified to third parties to whom personal data has been transferred,
  • Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the provisions of the PDP Law and other relevant laws, and requesting that the action taken in this context be notified to third parties to whom the personal data has been transferred,
  • To object to the emergence of a result that is unfavorable to the person by analyzing the processed data exclusively through automatic systems,
  • To request compensation for damages in case of damage due to unlawful processing of personal data.

Personal Data Owners’ Exercise of Their Rights

Personal data owners will be able to submit their requests regarding their rights listed as “Rights of Personal Data Owners” in section 7.1. to our Company through the methods determined by the Board. In this regard, they can be reached and benefited from http://www.akcamakina.com.tr/ PDP-Basvuru-Formu.pdf.

SPECIAL SITUATIONS WHERE PERSONAL DATA IS PROCESSED

Building and Facility Entrances, Personal Data Processing Activities within the Building and Facility, and Website Visitors

In order to ensure security by AKÇA, personal data processing activities are carried out in AKÇA buildings and facilities through security camera monitoring and tracking of guest entries and exits.

Camera Monitoring Activities Conducted at and Inside AKÇA Building and Facility Entrances

AKÇA carries out camera monitoring activities in accordance with the law on Private Security Services and relevant legislation in order to ensure security in its buildings and facilities. In order to ensure security in AKÇA buildings and facilities, it carries out security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the Law. In accordance with Article 10 of the Law, AKÇA informs the personal data owner through multiple methods regarding camera monitoring activities. In addition, in accordance with Article 4 of the AKÇA Law, personal data is processed in a limited and measured manner in connection with the purpose for which they are processed. The purpose of AKÇA’s monitoring activity with video cameras is limited to the purposes listed in this Policy. In this regard, the monitoring areas of security cameras, their number and when they will be monitored are implemented in a way that is sufficient to achieve the security goal and is limited to this purpose. It is not subject to monitoring in areas that may result in interference with a person’s privacy that exceeds security purposes (for example, toilets). Only a limited number of AKÇA employees have access to live camera images and records recorded and preserved digitally. A limited number of people who have access to the records declare with a confidentiality agreement that they will protect the confidentiality of the data they access.

Monitoring of Guest Entrance and Exit at AKÇA Building and Facility Entrances and Inside

AKÇA carries out personal data processing activities to ensure security and to monitor guest entries and exits in AKÇA buildings and facilities for the purposes specified in this Policy. While the names and surnames of people who come to AKÇA buildings as guests are obtained, the personal data owners in question are clarified in this context through texts posted at AKÇA or made available to guests in other ways. The data obtained for the purpose of entry-exit tracking is processed only for this purpose and the relevant personal data is recorded in the data recording system in the physical environment.

DETERMINATION OF THE UNIT RESPONSIBLE FOR THE PROTECTION AND PROCESSING OF PERSONAL DATA

AKÇA has appointed a person responsible for the protection of personal data within the company to manage the PDP Policy and other related policies. In this context, the basic activities to be carried out by the relevant person are listed below:

  • Following up on the preparation of documentation regarding the protection and processing of personal data and submitting the documents to the approval of the relevant persons,
  • Ensuring the implementation of documents regarding the protection and processing of personal data and ensuring that the necessary inspections are carried out,
  • Monitoring whether the company fulfills its obligations (AKÇA PDP Policy Title: 4.6),
  • Monitoring the relations with the PDP Institution and the PDP Board,
  • If it is decided to appoint a person responsible for the protection and processing of personal data, the process of appointing this person is also carried out by the company’s senior management. In addition to the minimum duties mentioned above, some additional duties and responsibilities may be assigned to the unit and the responsible person to be appointed, taking into account the needs of the company and the activities they carry out.

REVIEW

This Policy document comes into force from the moment it is approved by the AKÇA Board of Directors. AKÇA Board of Directors is authorized to decide on the repeal of this Policy, the changes to be made within the Policy and how it will be put into effect.

AKÇA PDP Policy was published by AKÇA on its website and made available to the public. In case of conflict between the current legislation, especially the PDP Law, and the regulations contained in this Policy, the provisions of the legislation shall apply.

AKÇA reserves the right to make changes to the AKÇA PDP Policy in parallel with legal regulations. The current version of AKÇA PDP Policy can be accessed on the AKÇA website (http://www.akcamakina.com.tr/).