GPDRMitra Mermer AS n (“Mermer Marble”) attaches importance to the protection of personal data in its activities and considers it among its priorities in its business and transactions. Mitra Marble Personal Data Protection and Processing Policy (“Policy') is the basic regulation for the harmonization of the personal data processing procedures and principles determined by the Law No. 6698 on the Protection of Personal Data (“Law”) with Mitra Marble organization and business processes. In line with the principles of this Policy, Mitra Marble processes and safeguards personal data with a high level of responsibility and awareness, and ensures the necessary transparency by informing the personal data owners.
The purpose of this Policy is to ensure that by harmonizing the procedures and principles stipulated by the Law and other respective legislation with Mitra Marble's organization and processes, they are effectively implemented in its activities. Mitra Marble takes all kinds of administrative and technical measures with this Policy for the processing and protection of personal data, creates necessary internal procedures, raises awareness, and also holds all necessary trainings to raise awareness. All necessary measures are taken and appropriate and effective audit mechanisms are established for the compliance of shareholders, officials, employees, and business partners with the Law processes.
The policy covers all personal data obtained automatically in Mitra Marble business processes or by non-automatic means provided that it is a part of any data recording system.
Policy is based on Law and respective legislation. Personal data is processed to fulfill the legal obligations arising from the Personal Data Protection Law No 6698 Turkish Code of Obligations Law No. 6098, Turkish Penal Code No. 5237, Identity Reporting Law No. 1774, Labor Law No 4857, Social Insurance and General Health Insurance Law No. 5510, Unemployment Insurance Law No. 4447, Tax Procedure Law No. 213, the Turkish Commercial Code No. 6102, the Law on the Protection of the Consumer No. 6502 and the Laws amending this Law and other respective legislation.
In case of inconsistency between the current legislation and the Policy, the current legislation is applied. The regulations stipulated by the respective legislation are transformed into Mitra Marble applications with the Policy.
| Express consent | It means the consent that is based on information and expressed with free will regarding a particular subject. |
| Application form | The application form regarding the applications to be made by the data owner (Personal Data Owner) to the data controller, containing the application of personal data owners to exercise their rights, drawn up in accordance with the Law on the Protection of Personal Data No. 6698 and the Communiqué on the Procedures and Principles of Application to the Data Controller issued by the Personal Data Protection Authority. |
| Related user | They are the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data. |
| Destruction | Deletion, destruction, or anonymization of personal data. |
| Recording media | Any environment where personal data is processed entirely or partially automatically or non-automatically, provided that it is a part of any data recording system. |
| Personal data | All kinds of information relating to an identified or identifiable natural person. |
| Processing of personal data | All kinds of operations performed on data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or blocking using personal data completely or partially by automatic or non-automatic means provided that it is a part of any data recording system. |
| Anonymization of personal data | Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
| Personal data owner | Natural person whose personal data is processed by or on behalf of Mitra Marble. |
| Deletion of personal data | Deletion of personal data is making personal data inaccessible and non-reusable for Respective Users in any way. |
| Destruction of personal data | The process of making personal data inaccessible, irretrievable, and reusable by anyone in any manner. |
| Board | Personal Data Protection Board |
| Organization | Personal Data Protection Authority |
| Special personal data | Data on people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures and biometric and genetic data. |
| Periodic destruction | In the event that all of the personal data processing conditions in the Law are eliminated, the deletion, destruction, or anonymization process to be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy. |
| Data Processor | A natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller. |
| Data Recording System | The registration system in which personal data is processed and structured according to certain criteria. |
| Data owner / Contact Person | Natural person whose personal data is processed. |
| Data controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Data Representative | It is a natural person appointed to fulfill the duties of the Data Controller within the scope of the respective laws in accordance with the Law. |
| Regulation | Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on October 28, 2017 |
Mitra Marble takes the necessary measures stipulated in Article 12 of the Law, in order to prevent unlawful disclosure, access, transfer or security problems that may occur in other ways, according to the nature of the personal data. Mitra Marble takes measures and performs inspections to ensure the required level of personal data security in accordance with the guidelines published by the Personal Data Protection Authority.
The precautions taken for the protection of personal data of a private nature regarding race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data are carefully implemented and necessary inspections are carried out.
Mitra Marble provides the necessary trainings to the respective persons for the legal processing and access of personal data, data protection, and raising awareness for the use of rights.
Mitra Marble creates the necessary business processes and receives support from consultants if needed, in order to increase the awareness of employees about protecting personal data. The deficiencies encountered in practice and the result of the trainings are evaluated by Mitra Marble management. In case of need, new trainings are organized depending on the changes in the legislation related to these evaluations.
Personal data is processed in accordance with the legislation in line with the principles set out below.
Personal data is processed to the extent required by business processes, with limitations to them, without harming the fundamental rights and freedoms of individuals, in accordance with the law and the rule of good faith..
Necessary measures are taken to keep the processed personal data up-to-date and accurate and work is conducted as planned and programmed.
Personal data is processed depending on the legitimate purposes determined and explained in the business processes.
Personal data is collected in the quality and extent required by the business processes, and is processed in a limited manner depending on the designated purposes.
Personal data is kept for the minimum period required for the purpose of processing personal data and stipulated in the respective legislation. First of all, if a period of time is stipulated for the storage of personal data in the respective legislation, if it is not, personal data is kept for the period required for the purpose for which they are processed. At the end of the storage period, personal data is destroyed by appropriate methods (deletion, destruction, or anonymization) in accordance with the periodic destruction periods or with the application of the data owner.
Personal data is processed based on the explicit consent of the owner or one or more of the following conditions.
The processing of personal data is carried out with the express consent of the data owner. Explicit consent of the personal data owner: It is realized by being informed about a certain subject and by obtaining his/her free will..
In case of any of the conditions listed below, personal data may be processed without the need for the explicit consent of the data owner.
In case there is a clear regulation regarding the processing of personal data in the law, personal data may be processed without the consent of the data owner.
The personal data of the data owner may be processed if it is mandatory to process the personal data of the person who is unable to express his or her consent or whose consent cannot be validated due to physical impossibility, in order to protect the life or physical integrity of himself or another person.
If the processing of personal data is directly related to the establishment or performance of a contract to which the data owner is a party, the personal data of the data owner may be processed.
While Mitra Marble fulfills its legal obligations, personal data of the data owner may be processed if personal data processing is mandatory.
Personal data of data owners who make their personal data public may be processed, with limitation to the purpose of making their personal data public.
If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of Mitra Marble.
Mitra Marble processes private personal data in accordance with the principles set forth in the Law and Policy, by taking all necessary administrative and technical measures with the methods determined by the Board, with the following procedures and principles:
Mitra Marble informs the personal data owners about the purposes for which their personal data is processed, with whom it is shared, with what methods it is collected, the legal reason and the rights of the data owners in the processing of their personal data in accordance with the respective legislation. In this respect, the protection of personal data is executed in accordance with other policy documents and clarification texts prepared within the framework of the principles in the Policy.
Mitra Marble may transfer personal data and sensitive personal data to third parties in accordance with the law by taking the necessary security measures for the purposes of personal data processing. Mitra Marble performs the transfer transactions in accordance with the regulations stipulated in Article 8 of the Law.
While the explicit consent of the personal data owner is required for the transfer of personal data, personal data can be transferred to third parties by taking all necessary security measures, including the methods stipulated by the Board, based on one or more of the following conditions.
Personal data related to any of the above-mentioned situations can be transferred to foreign countries that are determined to have adequate protection and declared as "Foreign Country with Sufficient Protection" by the Board. "". Personal data can be transferred according to the conditions stipulated in the legislation to those who are in the status of "Foreign Country where the Data Controller Undertaking Sufficient Protection is Present," which do not have adequate protection, which undertake in writing to provide adequate protection in Turkey and abroad, and for which the Board has permission.
Special categories of personal data can be transferred in accordance with the principles set out in the Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, under the conditions provided below:
Personal data can be transferred to those in the status of "Foreign Country with Sufficient Protection" in case of presence of any of the above conditions; in case of lack of sufficient protection, to those in the status of "Foreign Country where the Data Controller Undertaking Sufficient Protection is Present" in accordance with the data transfer conditions regulated in the legislation.
In İTS Management, Administrative Affairs, Purchasing, Factory Management, IT business, Mitra Marble processes the data categories and personal data (Annex-1) consisting of personal data owners consisting of employee candidates, employees, shareholders/partners, potential product or service buyers, supplier employees, supplier representatives, product or service buyers, parent/guardian/representatives, visitors, family members and their relatives, iṅ liṅ e wiṫ h the personal data processing purposes (Annex-2). The processing purposes according to the data categories and the details of the data subject person groups are notified in the area of Mitra Marble at verbis.kvkk.gov.tr.
Personal data is processed according to the determined purposes in order to perform in accordance with the general principles specified in the Law, especially the principles set out in the Article 4 of the Law on the processing of personal data processing purposes, according to personal data categories, by informing the respective persons pursuant to Article 10 of the Law and other legislation, based on and limited to at least one of the personal data processing conditions specified in Article 5 and 6 of the Law.
With the principles set forth in the Policy “3.5. "Transfer of Personal Data" section, personal data can be shared for the determined purposes (Annex-3) with everyone, like shareholders, suppliers, authorized public institutions and organizations, institutions from whom we receive contracted services and with whom we cooperate, and customers. No transfer of personal data to foreign countries is in question.
Mitra Marble takes the necessary technical and administrative measures to protect the personal data it processes in accordance with the procedures and principles set out in the Law, carries out the necessary inspections in this context, and conducts awareness-raising and training activities.
Mitra Marble informs the respective persons and units as soon as possible, in the event that the processed personal data is seized by third parties by unlawful means, despite all the technical and administrative measures taken.
Mitra Marble retains personal data for the minimum period stipulated in the respective legislation for the period required for the purpose of processing. Mitra Marble, first of all, retains personal data if a period is determined in the respective legislation, as suitable for this period; if a legal period is not stipulated, it retains the personal data for the period necessary for the purpose of processing it. Personal data is destroyed by the specified method (deletion, destruction, or anonymization) at the end of the specified storage periods, in accordance with the periodic destruction periods or with the application of the data owner.
Personal data owners have the following rights arising from the Law:
Personal data owners can forward their requests regarding the rights listed in the Article 6.1. to Mitra Marble through the methods determined by the Board. Personal data owners and those who have the right to apply on their behalf can apply to Mitra Marble by filling in 'Data Owner Application Form'(Annex-4).
Mitra Marble finalizes the applications made by the personal data owner in accordance with the Law and other legislation. Requests submitted to Mitra Marble in accordance with the procedure are finalized as soon as possible and within 30 (thirty) days at the latest, free of charge. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
In cases where the application is rejected in accordance with the Article 14 of the Law, the answer given is found insufficient, or the application is not answered in due time, the data owner can make a complaint to the Board within thirty days from the date of learning the answer of Mitra Marble and in any case within sixty days from the date of application.
Mitra Marble may request information from the respective person in order to determine whether the applicant has personal data. Mitra Marble may ask questions about the personal data owner's application in order to clarify the matters in the personal data owner's application.
The policy has been approved and put into effect by the Board of Directors. The technical execution of the policy is provided with the “Personal Data Retention and Destruction Policy.”
Execution of the Policy in business processes, before the parties is carried out with "Customer Clarification Text," "Supplier Clarification Text,” "Corporate Confidentiality Commitment," "Employee Clarification and Express Consent Statement," "Employee Confidentiality Agreement," "Employee Candidate Clarification Statement of Explicit Consent," "Website Cookie Clarification Text,”and “Camera Recording Systems Clarification Text.”
The Board of Directors is responsible for the execution of the Law and Policy and updating it when necessary and the Mitra Marble Personal Data Protection Committee is responsible for the follow-up, coordination, and supervision of all works and transactions within this scope.
The policy has entered into force as of the date of its publication. The changes that will take place in the Policy are published and made available to personal data owners and respective persons on Mitra Marble's website (www.mitramermer.com) . Policy changes enter into effect on the date they are announced.