ÇELİK MOTOR TİCARET A.Ş POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

1. INTRODUCTION

1.1 The Purpose and Scope of the Policy

The Çelik Motor Ticaret A.Ş Policy on The Protection and Processing of Personal Data (“Policy’’) herein aims to determine the principles to be followed to fulfill of the obligations of Çelik Motor Ticaret Anonim Şirketi’(“Çelik Motor” or “Company”) under the Law No. 6698 on the Protection of Personal Data (‘’Law’’) which has entered into force on 7 April 2016 and ensuring compliance with the Law of data protection and data processing operations of the Company.

 

The Policy specifies the processing conditions of personal data and sets out the main principles adopted by the Company in the processing of personal data. In this context, the Policy comprises all personal data processing activities, the data subjects whose personal data are processed, and all personal data processed by the Company.

Issues related to the processing of personal data of Company employees are not covered by this Policy, and are regulated separately in the Processing and Protection of Employee Personal Data Policy of Çelik Motor Ticaret Anonim Şirketi.
Definitions related to the terms used in the Policy are given in ANNEX-1.

 1.2. Enforcement and Amendments

The company is going through the public opinion about the current politics on their website. In case of contradiction between the legislation in force and regulations in this policy, the provisions of the policy shall apply primarily the Law.

The company reserves the right to make changes to the policy in accordance with the legal regulations. The current version of the Policy is available on the Company website at https://www.garenta.com.tr/en/personal-data-protection-policy/

2.2. DATA SUBJECTS, DATA PROCESSING PURPOSES AND DATA CATEGORIES FOR PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED BY OUR COMPANY

2.1. Data Subjects

All data subjects whose personal data are being processed by the Company are within the scope of the Policy except for Company employees. In this context, the data subject categories in general can be listed as follows:

CATEGORİZATION OF DATA OWNER		EXPLANATION
1	Customer	It refers to real persons who benefit from the products and services offered by the Company.
2	Potential Customer	It refers to real persons who have the interest to use the products and services offered by the Company and have the potential to become customers.
3	Visitor	It refers to real persons who visit the Company, Company premises, and Website.
4	Employee Candidates	It refers to real persons who apply for a job by sending a CV to the company or by other means.
5	Third Person	It refers to real persons except the data subject categories mentioned above and the Company employees.

Data subject categories are provided for informational purposes. The data subject not being included in the scopes of these categories, does not abolish the data subject status as mentioned in the Act.

2.2. Purposes for Personal Data Processing

Your personal, including special categories of personal data may be processed by the Company in accordance with the personal data processing requirements set out in the Law and the applicable legislation for the following purposes:

MAIN PURPOSES	SUB-PURPOSES
Conducting Internal Operations	Planning, Auditing and Execution of Information Security Processes Establishment and Management of Information Technology Infrastructure Planning and Execution of Employees’ Access to Information Systems Event Management Monitoring Financial and Accounting Business Planning and Execution of Activities on performing Efficiency and Appropriateness Analysis of Business Activities Planning and Execution of Business Activities Planning and Execution of Business Partners and Suppliers’ Access to Information Systems Planning and Execution of Business Continuity Activities Planning and Execution of Corporate Communications Planning and Execution of Corporate Sustainability Activities Planning and Execution of Corporate Management Activities Planning and Execution of Logistic Activities Planning and Execution of Production and Operation Process Planning and Monitoring of Structure and Construction Work
Activities of Legal, Technical and Administrative Consequences	Planning and Execution of Emergency Management Processes Planning and Execution of Occupational Health and Safety Process Calculation of Individual Insurance Policy Premiums and Policy Formation Vendor Relations Management and Supervision Initiation of the Damage Claims Processes and Completion of the Relevant Files Monitoring of Legal Works Group Companies IT and Operational Audit Studies Informing authorized Institutions in accordance with the law Keeping and Monitoring of Visitor Records Planning and Execution of Company’s Production and Operational Risk Processes Running of Corporate and Corporations Law Work Ensuring the Security of Company Operations Ensuring the Security of Company Premises and Facilities Planning and Execution of Company’s Financial Risk Process Ensuring the Security of Company Fixtures and Resources Planning and Execution of Company Audit Activities Regulation of Insurance Policies Applications for various transactions of Partners, first degree relatives of the Partners and members of the Board of Directors Planning and Execution of the Operational Activities Necessary for Ensuring of the Company’s Activities in accordance with the Company Procedures and related Legislation Ensuring Accurate and Up-to-Date Data
Processes and Operations Concerning Customers	Monitoring Credit Payments Planning and Execution of After-Sale Support Services Planning and Execution of Product and Service Provision Processes Monitoring Contractual and Legal Processes Planning and Execution of Customer Relations Management Processes
Financial Operations	Banking Transactions Payment of Damage Claims Collection processes
Strategy Planning & Business Partners/ Suppliers Management	Management of Relations with Business Partners and/ or Suppliers Planning and Execution of Training Activities Execution of Strategic Planning Activities
Marketing Operations	Planning and Execution of Establishing and Increasing Commitment to Products and Services Offered by the Company Planning and Execution of Market Research Activities regarding Sale and Marketing of Product and Services Planning and Execution of Product and Services Marketing Planning and Execution of Customer Satisfaction Activities

2.3. Personal Data Categories

Your personal data, which are categorized below, are processed by the Company in accordance with the personal data processing conditions stated in the Law and the related legislation:

CATEGORIZATION OF PERSONAL DATA	EXPLANATION
Identity Information	All information about personal identity provided on the documents such as Driver’s Licence, Identity Document, Residency, Passport, Advocate Identity, Marriage Records
Contact Information	Information about contacting the Data Owner provided on the documents such as Telephone Number, address, e-mail which explicitly belongs to the data owner to communicate
Customer Information	Information obtained and produced about the relevant person as a result of our commercial activities and operations carried out by our business units within this framework
Information on Family Members and Relatives	Information relating to the family member and relatives of the data subject of the personal data that is processed for the purposes of protecting the legal interests of the Company and the data subject or processed in relation to the offering of goods and services
Customer Transaction Information	Information such as records of the use of goods and services and instructions and requests necessary for customer’s use of goods and services
Security Information of Physical Premises	Personal data relating to the camera and fingerprint records and documents obtained when entering to physical premises and during visits
Process Security Information	Personal data processed for the purposes of ensuring technical, administrative, legal and commercial security of our Company
Financial Information	Personal data processed with respect to indicating all financial information, document and records generated based on the nature of the legal relation established between our company and the data subject
Employee Candidate Information	Personal data processed relating to the candidates who have applied to our Company in order to become an employee or are deemed as candidate employee due to the requirements of the human resources of our company as per the customs of trade and principles of good faith
Legal Operation and Compliance Information	Personal data processed for the purposes of determining and enforcing our legal claims and rights and performance of our obligations and within the scope of compliance with the legal obligations of our Company and Company policies
Auditing and Inspection Information	Personal data processed within the scope of compliance with the legal obligations of our Company and Company policies
Special Categories of Personal Data	Data related to the data subject’s race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costume and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data are considered as private personal data.
Marketing Information	Personal data processed for the marketing and customization of our products and services in accordance with the usage habits, tastes and needs of the personal data subject and the reports and evaluations created as a result of these processing operations.
Request/ Complaint Management Information	Personal Data for the purpose of evaluate and receive all kinds of requests and complaints directed to our Company
Reputation Management Information	Information related to actions taken for protecting the commercial reputation of our Company and evaluation reports related to this information
Event Management Information	Personal Data processed to take necessary legal, technical and administrative measures against the incidents in order to protect the commercial rights and interests of our Company and the rights and interests of our customers

3. PRINCIPLES AND CONDITIONS FOR PROCESSING PERSONAL DATA

3.1. Principles for Processing Personal Data

Your personal data is processed by the Company in accordance with the personal data processing principles set out in Article 4 of the Law. These principles must be complied with for each personal data processing activity:

•  Processing of Personal Data in accordance with the Law and the Good Faith; The Company acts in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data; pays particular attention to processing personal data for the limited purpose of processing and taking into account the reasonable expectations of the data subjects.
• Accurate and up-to-date data; We ensure that your personal data processed by the company is up-to-date and checks are made regarding this. Data subjects are entitled to request correction or deletion of their incorrect and outdated data.
• Processing of Personal Data for specific, clear and legitimate purposes; The Company determines the purposes of data processing prior to each personal data processing activities and ensures that these purposes are not unlawful.
• Processing of adequate, relevant and not excessive Personal Data for the processing purposes; The Company limits the personal data required for the purpose of data collection, and takes necessary steps to ensure that irrelevant personal data is not processed.
• Retaining personal data for as long as required by legislation or processing purposes; The personal data is erased, destroyed or anonymized by the Company after the purpose of personal data processing is no longer valid or after the expiration of the retention period stipulated in the legislation.

 3.2. Conditions for Processing Personal Data

Your personal data is processed by the Company only where at least one of the personal data processing conditions stated in Article 5 of the Law is applicable. Explanations on these conditions are as follows:

 

• Having explicit consent of the personal data subject, where any other data processing condition do not exist, in accordance with the general principles given under the heading 3.1, the personal data can be processed with the permission given by the free will of the data subject, after it has sufficient knowledge of the personal data processing activity.
• In case of the personal data processing activity is expressly provided by the law, personal data processing may be processed by the Company without the explicit consent of the data owner. In this case, the Company will process the personal data in accordance with the relevant legal regulations.
• In case of the explicit consent of the data owner cannot be obtained due to physical incapability and personal data processing is a necessity, Personal data of the data subject who is unable to disclose his consent or whose consent cannot be regarded as valid by the Company, will be processed if it is necessary to process personal data to protect the life or body integrity of the data owner or a third person.
• In case of the Personal data processing is directly related to the establishment or performance of a contract, personal data processing will be performed if it is necessary to process the personal data of the parties of the contract established or already signed between the data subject and the Company.
• In case of the personal data processing activity is required to fulfill the legal obligation of the data controller, The Company processes personal data in order to fulfill its legal obligations under the applicable legislation.
• Where the data subject has publicized his personal data, the Company may process the personal data that is disclosed to the public in any manner limited with the initial purpose for the publicization without the explicit consent of the data owners.
• If it is compulsory to process personal data for the establishment, use or protection of a right, the Company which is under the obligation will be able to process the personal data of the data owner without the explicit consent of the data owners.
• Without prejudice to the fundamental rights and freedoms of the data owner, in case of the data owner is requires to process data for the legitimate interests, Personal data may be processed by the Company provided that the balance of interest of the Company and the data holder is observed. In this context, in the processing of data based on legitimate interest, the Company first determines the legitimate interest which will obtain as a result of the processing activity. It performs the processing activities if it evaluates the possible impact of the processing of personal data on the rights and freedoms of the data owner and considers the balance to be intact.

3.3. Conditions for the Processing of Private Personal Data

In Article 6 of the Law, special categories of personal data are specified in a limited number. These are the relevant data of individual race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data.

The Company may process special categories of personal data by providing additional measures determined by the Personal Data Protection Board in the following cases:

• Processing of private personal data other than health and sexual life, such e data may be processed if the data owner gives an explicit consent or in case it is expressly provided by the law.
• Personal Data regarding to Health and Sexual Life, may only process without express consent of data subject for the purpose of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing by whom are under an obligation of secrecy or authorized institution and establishment.

 

 

 

4. TRANSFER OF PERSONAL DATA

In accordance with the additional regulations specified in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board, the Company may transfer personal data at home or abroad in case of illegal processing of personal data

 

• Transfer of personal data to third parties in Turkey, may be processed by the Company in the presence of at least one of the data processing conditions set out in Articles 5 and 6 of the Law and under Section 3 of this Policy.
• The transfer of personal data to third parties abroad, in the event that the data subject does not give its explicit consent, personal data may be transferred abroad by the Company in the existence of at least one of the data processing conditions set out in Articles 5 and 6 of the Law and a data processing purpose stated under section 3 of this Policy.

In the event that the country to which the transfer will be made is not among the safe countries to be announced by the Personal Data Protection Board, the personal data may be transferred abroad by relying on a written undertaking between the Company and the data controller in the country concerned where any of the data processing conditions provided under Articles 5 and 6 of the Law are present (see Section 3 of the Policy).

In accordance with the general principles of the Law and the data processing conditions of Articles 8 and 9, the Company may transfer data to the parties categorized in the following table:

SHARED PARTY CATEGORY	SCOPE	PURPOSE OF TRANSFER
Business Partner	The parties with which the Company has established business partnerships	In order to fulfill the objectives related to business partnership
Vendor	The parties providing services to maintain the Company's commercial activities in accordance with the instructions received and on the basis of an agreement with the Company,	In order and limited with procuring outsourcing services.
Subsidiary	The subsidiaries of the Company	In order and limited to run business activities involving the participation of subsidiaries
Legally Authorized Public Institution	Public institutions and organizations legally authorized to receive information and documents from the Company	In order to respond information requests of the relevant public institutions and bodies
Authorized Private Institution	Legal persons who are authorized to receive information and documents from the Company	Limited sharing of data for the purpose requested by the relevant private law persons within the legal authority

5. INFORMING DATA SUBJECTS ABOUT THE PROCESSING AND DATA SUBJECT RIGHTS

According to Article 10 of the Law, data owners should be informed about the processing of personal data before or while processing of their personal data at the latest. In accordance with the relevant article, as a data controller the Company has established an internal structure in order to ensure that data subjects are informed about the processing in every situation where personal data processing is carried out. In this context;

 

• For information on the purposes pursued in processing your personal data, please see Section 2.2 of the Policy.
• For information on the parties to whom your personal data has been transferred to and the purposes pursued during such transfers, please refer to Section 4 of the Policy.

We would like to state that you, as data subject, have the following rights under Article 11 of the Law:

• To learn whether your personal data are being processed,
• To Request information, if your personal data have been processed,
• To Learn the purpose of the processing of your personal data and whether data are being used in compliance with such purpose;
• To Learn the third parties to whom the data are transferred domestically or abroad,
• To request rectification of the processed personal data which are processed incompletely or inaccurately,
• To request erasure or destruction of your personal data under the conditions specified in the relevant legislation,
• To request the processes of correction, erasure and destruction under the relevant legislation are notified to third persons to whom personal data is transferred.
• To object to negative consequences to you that are concluded, as a result of analysis of the processed personal data through solely automatic systems,
• To demand compensation for the damages that you have suffered as a result of an unlawful processing of your personal data.

In order to exercise your rights mentioned above, you may fill the Çelik Motor Ticaret Anonim Şirketi Data Subject Application Form located at the address https://images.garenta.com.tr/Garenta-Veri-Sahibi-Basvuru-Formu.pdf and convey your request to our Company. In principle, responses to data subject requests are concluded free of charge, in accordance with the nature of your request; however, you may be charged according to the tariff to be determined by the Personal Data Protection Board if the request requires additional costs. 

During the evaluation of the applications, the Company first determines whether the person submitting the application is the correct rightsholder. Additionally, the Company may request detailed and additional information in order to better understand the requests where deemed necessary. Responses to data subject applications are notified to the data owners in writing or electronically by the Company. If the application is rejected, the reasons for rejection will be explained to the data subject.

In case the personal data is not obtained directly from the data subject; the activity of informing the data subject is conducted at the latest by the Company; (1) in a reasonable time from the obtaining of the personal data, (2) if the personal data is to be used to contact the data subject, during the first contact, (3) if the personal data is to be transferred, during the first transfer.

6. THE DELETION, DISPOSAL AND MAKING ANONYMOUS OF PERSONAL DATA

In accordance with Article 7 of the Law, although previously have been processed in accordance with the law, the Company erases, destroys or anonymizes the personal data where the purposes for its processing are no longer applicable on its own accord or upon the request of the data subject, in accordance with the guidelines issued by the Authority.

7. RESTRICTIONS ON SCOPE AND APPLICATION OF LAW

The following cases falls outside of the scope of the Law:

• personal data is processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him in the same household provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with,
• personal data is processed for the purpose of official statistics and for research, planning and statistical purposes after having been anonymized,
• personal data is processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defense, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute a crime,
• personal data is processed by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings or execution proceedings.

The Company does not require inform the data subjects in the following cases and the data owners will not be able to exercise their rights, except for their right regarding to compensate the damages suffered:

• Personal data processing is necessary for crime prevention or crime investigation
• Processing of personal data is carried out on the data which is made public by the data subject himself
• Processing of personal data is required for inspection or regulatory duties and disciplinary investigation and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of public institution, assigned and authorized for such actions,  in accordance with the power conferred on them by the law
• Personal data processing is required for protection of State’s economic and financial interests with regard to budgetary, tax-related and financial issues.

DESCRIPTION
Explicit Consent	freely given, specific and informed consent,
Making Anonymous	rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data
Employee	Real persons that are company employees
Employee Candidate	Real persons who are company employee candidates
Personal Health Data	Any health information relating to an identified or identifiable natural person
Personal Data	Any information relating to an identified or identifiable natural person
Data Subject	Real person whose personal data has been processed
Processing of Personal Data	any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means
Law	Law No. 6698 on Protection of Personal Data, published in the Official Gazette No. 29677 dated April 7, 2016
Special Categories of Personal Data	Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise, association foundation or union membership, health, sex, criminal conviction and security measures, and biometric and genetic data
Policy	Çelik Motor Ticaret Anonim Şirketi Personal Data Processing and Protection Policy
Company / Çelik Motor	Çelik Motor Ticaret Anonim Şirketi
Business Partners	People with whom the Company has established a contractual relationship within the framework of its commercial activities
Data Processor	A real or legal person that processes personal data on behalf of the data officer in accordance with the authorization
Data Controller	The person who determines the purposes and means of the processing of personal data and managing the data registry system.