1. INTRODUCTION
1.1 The Purpose and Scope of the Policy
The Çelik Motor Ticaret A.Ş Policy on The Protection and Processing of Personal Data (“Policy’’) herein aims to determine the principles to be followed to fulfill of the obligations of Çelik Motor Ticaret Anonim Şirketi’(“Çelik Motor” or “Company”) under the Law No. 6698 on the Protection of Personal Data (‘’Law’’) which has entered into force on 7 April 2016 and ensuring compliance with the Law of data protection and data processing operations of the Company.
The Policy specifies the processing conditions of personal data and sets out the main principles adopted by the Company in the processing of personal data. In this context, the Policy comprises all personal data processing activities, the data subjects whose personal data are processed, and all personal data processed by the Company.
Issues related to the processing of personal data of Company employees are not covered by this Policy, and are regulated separately in the Processing and Protection of Employee Personal Data Policy of Çelik Motor Ticaret Anonim Şirketi.
Definitions related to the terms used in the Policy are given in ANNEX-1.
1.2. Enforcement and Amendments
The company is going through the public opinion about the current politics on their website. In case of contradiction between the legislation in force and regulations in this policy, the provisions of the policy shall apply primarily the Law.
The company reserves the right to make changes to the policy in accordance with the legal regulations. The current version of the Policy is available on the Company website at https://www.garenta.com.tr/en/personal-data-protection-policy/
2.2. DATA SUBJECTS, DATA PROCESSING PURPOSES AND DATA CATEGORIES FOR PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED BY OUR COMPANY
2.1. Data Subjects
All data subjects whose personal data are being processed by the Company are within the scope of the Policy except for Company employees. In this context, the data subject categories in general can be listed as follows:
CATEGORİZATION OF DATA OWNER |
EXPLANATION |
|
1 |
Customer |
It refers to real persons who benefit from the products and services offered by the Company. |
2 |
Potential Customer |
It refers to real persons who have the interest to use the products and services offered by the Company and have the potential to become customers. |
3 |
Visitor |
It refers to real persons who visit the Company, Company premises, and Website. |
4 |
Employee Candidates |
It refers to real persons who apply for a job by sending a CV to the company or by other means. |
5 |
Third Person |
It refers to real persons except the data subject categories mentioned above and the Company employees. |
Data subject categories are provided for informational purposes. The data subject not being included in the scopes of these categories, does not abolish the data subject status as mentioned in the Act.
2.2. Purposes for Personal Data Processing
Your personal, including special categories of personal data may be processed by the Company in accordance with the personal data processing requirements set out in the Law and the applicable legislation for the following purposes:
MAIN PURPOSES |
SUB-PURPOSES |
Conducting Internal Operations |
|
Activities of Legal, Technical and Administrative Consequences |
|
Processes and Operations Concerning Customers |
|
Financial Operations |
|
Strategy Planning & Business Partners/ Suppliers Management |
|
Marketing Operations |
|
2.3. Personal Data Categories
Your personal data, which are categorized below, are processed by the Company in accordance with the personal data processing conditions stated in the Law and the related legislation:
CATEGORIZATION OF PERSONAL DATA |
EXPLANATION |
Identity Information |
All information about personal identity provided on the documents such as Driver’s Licence, Identity Document, Residency, Passport, Advocate Identity, Marriage Records |
Contact Information |
Information about contacting the Data Owner provided on the documents such as Telephone Number, address, e-mail which explicitly belongs to the data owner to communicate |
Customer Information |
Information obtained and produced about the relevant person as a result of our commercial activities and operations carried out by our business units within this framework |
Information on Family Members and Relatives |
Information relating to the family member and relatives of the data subject of the personal data that is processed for the purposes of protecting the legal interests of the Company and the data subject or processed in relation to the offering of goods and services |
Customer Transaction Information |
Information such as records of the use of goods and services and instructions and requests necessary for customer’s use of goods and services |
Security Information of Physical Premises |
Personal data relating to the camera and fingerprint records and documents obtained when entering to physical premises and during visits |
Process Security Information |
Personal data processed for the purposes of ensuring technical, administrative, legal and commercial security of our Company |
Financial Information |
Personal data processed with respect to indicating all financial information, document and records generated based on the nature of the legal relation established between our company and the data subject |
Employee Candidate Information |
Personal data processed relating to the candidates who have applied to our Company in order to become an employee or are deemed as candidate employee due to the requirements of the human resources of our company as per the customs of trade and principles of good faith |
Legal Operation and Compliance Information |
Personal data processed for the purposes of determining and enforcing our legal claims and rights and performance of our obligations and within the scope of compliance with the legal obligations of our Company and Company policies |
Auditing and Inspection Information |
Personal data processed within the scope of compliance with the legal obligations of our Company and Company policies |
Special Categories of Personal Data |
Data related to the data subject’s race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costume and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data are considered as private personal data. |
Marketing Information |
Personal data processed for the marketing and customization of our products and services in accordance with the usage habits, tastes and needs of the personal data subject and the reports and evaluations created as a result of these processing operations. |
Request/ Complaint Management Information |
Personal Data for the purpose of evaluate and receive all kinds of requests and complaints directed to our Company |
Reputation Management Information |
Information related to actions taken for protecting the commercial reputation of our Company and evaluation reports related to this information |
Event Management Information |
Personal Data processed to take necessary legal, technical and administrative measures against the incidents in order to protect the commercial rights and interests of our Company and the rights and interests of our customers |
3. PRINCIPLES AND CONDITIONS FOR PROCESSING PERSONAL DATA
3.1. Principles for Processing Personal Data
Your personal data is processed by the Company in accordance with the personal data processing principles set out in Article 4 of the Law. These principles must be complied with for each personal data processing activity:
3.2. Conditions for Processing Personal Data
Your personal data is processed by the Company only where at least one of the personal data processing conditions stated in Article 5 of the Law is applicable. Explanations on these conditions are as follows:
3.3. Conditions for the Processing of Private Personal Data
In Article 6 of the Law, special categories of personal data are specified in a limited number. These are the relevant data of individual race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data.
The Company may process special categories of personal data by providing additional measures determined by the Personal Data Protection Board in the following cases:
4. TRANSFER OF PERSONAL DATA
In accordance with the additional regulations specified in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board, the Company may transfer personal data at home or abroad in case of illegal processing of personal data
In the event that the country to which the transfer will be made is not among the safe countries to be announced by the Personal Data Protection Board, the personal data may be transferred abroad by relying on a written undertaking between the Company and the data controller in the country concerned where any of the data processing conditions provided under Articles 5 and 6 of the Law are present (see Section 3 of the Policy).
In accordance with the general principles of the Law and the data processing conditions of Articles 8 and 9, the Company may transfer data to the parties categorized in the following table:
SHARED PARTY CATEGORY |
SCOPE |
PURPOSE OF TRANSFER |
Business Partner |
The parties with which the Company has established business partnerships |
In order to fulfill the objectives related to business partnership |
Vendor |
The parties providing services to maintain the Company's commercial activities in accordance with the instructions received and on the basis of an agreement with the Company, |
In order and limited with procuring outsourcing services. |
Subsidiary |
The subsidiaries of the Company |
In order and limited to run business activities involving the participation of subsidiaries |
Legally Authorized Public Institution |
Public institutions and organizations legally authorized to receive information and documents from the Company |
In order to respond information requests of the relevant public institutions and bodies |
Authorized Private Institution |
Legal persons who are authorized to receive information and documents from the Company |
Limited sharing of data for the purpose requested by the relevant private law persons within the legal authority |
5. INFORMING DATA SUBJECTS ABOUT THE PROCESSING AND DATA SUBJECT RIGHTS
According to Article 10 of the Law, data owners should be informed about the processing of personal data before or while processing of their personal data at the latest. In accordance with the relevant article, as a data controller the Company has established an internal structure in order to ensure that data subjects are informed about the processing in every situation where personal data processing is carried out. In this context;
We would like to state that you, as data subject, have the following rights under Article 11 of the Law:
In order to exercise your rights mentioned above, you may fill the Çelik Motor Ticaret Anonim Şirketi Data Subject Application Form located at the address https://images.garenta.com.tr/Garenta-Veri-Sahibi-Basvuru-Formu.pdf and convey your request to our Company. In principle, responses to data subject requests are concluded free of charge, in accordance with the nature of your request; however, you may be charged according to the tariff to be determined by the Personal Data Protection Board if the request requires additional costs.
During the evaluation of the applications, the Company first determines whether the person submitting the application is the correct rightsholder. Additionally, the Company may request detailed and additional information in order to better understand the requests where deemed necessary. Responses to data subject applications are notified to the data owners in writing or electronically by the Company. If the application is rejected, the reasons for rejection will be explained to the data subject.
In case the personal data is not obtained directly from the data subject; the activity of informing the data subject is conducted at the latest by the Company; (1) in a reasonable time from the obtaining of the personal data, (2) if the personal data is to be used to contact the data subject, during the first contact, (3) if the personal data is to be transferred, during the first transfer.
6. THE DELETION, DISPOSAL AND MAKING ANONYMOUS OF PERSONAL DATA
In accordance with Article 7 of the Law, although previously have been processed in accordance with the law, the Company erases, destroys or anonymizes the personal data where the purposes for its processing are no longer applicable on its own accord or upon the request of the data subject, in accordance with the guidelines issued by the Authority.
7. RESTRICTIONS ON SCOPE AND APPLICATION OF LAW
The following cases falls outside of the scope of the Law:
The Company does not require inform the data subjects in the following cases and the data owners will not be able to exercise their rights, except for their right regarding to compensate the damages suffered:
DESCRIPTION |
|
Explicit Consent |
freely given, specific and informed consent, |
Making Anonymous |
rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data |
Employee |
Real persons that are company employees |
Employee Candidate |
Real persons who are company employee candidates |
Personal Health Data |
Any health information relating to an identified or identifiable natural person |
Personal Data |
Any information relating to an identified or identifiable natural person |
Data Subject |
Real person whose personal data has been processed |
Processing of Personal Data |
any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means |
Law |
Law No. 6698 on Protection of Personal Data, published in the Official Gazette No. 29677 dated April 7, 2016 |
Special Categories of Personal Data |
Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise, association foundation or union membership, health, sex, criminal conviction and security measures, and biometric and genetic data |
Policy |
Çelik Motor Ticaret Anonim Şirketi Personal Data Processing and Protection Policy |
Company / Çelik Motor |
Çelik Motor Ticaret Anonim Şirketi |
Business Partners |
People with whom the Company has established a contractual relationship within the framework of its commercial activities |
Data Processor |
A real or legal person that processes personal data on behalf of the data officer in accordance with the authorization |
Data Controller |
The person who determines the purposes and means of the processing of personal data and managing the data registry system. |