- Söğütözü Mahallesi Söğütözü Caddesi No:2A İç Kapı No:36 Çankaya/ANKARA
- +1-800-456-478-23
KVKK Information Text
SAMAŞ SANAYİ MADENLERİ ANONİM ŞİRKETİ
POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA
Table of Contents
3.1. Processing in Accordance with the Law and Principles of Integrity. 3
3.2. Ensuring Accuracy and, Where Necessary, Keeping Personal Data Up to Date. 4
3.3. Processing for Specific, Explicit and Legitimate Purposes 4
3.4. Being Relevant, Limited and Proportionate to the Purpose for Which They Are Processed. 4
4.1. Categories of Personal Data 5
4.2. Categories of Data Subjects 5
4.3. Purposes of Processing Personal Data. 5
4.4. Conditions for Processing Personal Data. 5
4.5. Conditions for Processing Special Categories of Personal Data. 6
4.6. Methods of Collecting Personal Data. 6
4.7. Transfer of Personal Data. 7
4.7.2. International Transfers 7
4.8. Storage and Disposal of Personal Data. 7
1. PURPOSE AND SCOPE
The protection of personal data and the safeguarding of privacy have been adopted as a part of the corporate culture of Samaş Sanayi Madenleri Anonim Şirketi (“SAMAŞ” or the “Company”). In the course of its operations, the Company exercises utmost care and diligence to process and protect personal data belonging to natural persons in accordance with applicable legal norms and universal legal principles. The Company processes and protects personal data in its capacity as a data controller within the scope of this Personal Data Processing and Protection Policy (“Policy” or “PDPP”).
This PDPP applies to the personal data of individuals, excluding our employees, that are processed by the Company through fully or partially automated means or by non-automated means, provided that the data is part of a data recording system. The Policy outlines how the principles and rules set forth by the relevant legislation are implemented within the Company’s personal data protection procedures. While this Policy defines the Company’s general principles and procedures regarding the processing and protection of personal data, the obligation to inform data subjects as per Article 10 of the Personal Data Protection Law (PDPL) is fulfilled through specific privacy notices provided to the data subjects in relation to the relevant processing activities.
The primary legal framework governing the protection and lawful processing of personal data consists of the applicable legislation in force, secondary regulations, and universal legal principles. In the event of any conflict between this PDPP and the applicable legal regulations, the provisions of the latter shall prevail.
We may update this Policy when necessary; therefore, please ensure that you refer to the most current version of our Policy on the date you use our services.
2. DEFINITIONS
ABBREVIATION | DEFINITION |
“Explicit Consent” | Consent that is given freely, based on information, and expressed with free will for a specific subject. |
“Obligation to Inform” | The obligation of the Company, as the Data Controller or through its authorized representatives, to inform Data Subjects at the time of collecting personal data, in accordance with Article 10 of the Personal Data Protection Law and the Communiqué on the Principles and Procedures to be Followed in Fulfilling the Obligation to Inform. |
“Data Subject”, “Relevant Person” | The natural persons whose personal data are processed by the Company or by persons/institutions authorized on behalf of the Company. |
“Destruction” | Means the deletion, destruction, or anonymization of personal data. |
“Personal Data” | Any information relating to an identified or identifiable natural person. |
“Anonymization of Personal Data” | The process by which personal data is rendered incapable of being associated with an identified or identifiable natural person, even through matching with other data. |
“Processing of Personal Data” | Any operation performed on personal data, whether by wholly or partially automated means or non-automated means provided that it is part of any data recording system, including collection, recording, storage, retention, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or prevention of use. |
“Deletion of Personal Data” | The process of rendering personal data inaccessible and unusable for relevant users in any way. |
“Destruction of Personal Data” | The process by which personal data is rendered inaccessible, irretrievable, and unusable by anyone, in any way. |
“Board” | Personal Data Protection Board |
“Authority” | Personal Data Protection Authority |
“Law”, “PDPL” | Law No. 6698 on the Protection of Personal Data |
“PDPL Policy” | The Personal Data Protection and Processing Policy adopted by the Company |
“Special Categories of Personal Data” | Data concerning an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and appearance, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. |
“Company” | Samaş Sanayi Madenleri Anonim Şirketi |
“VERBIS”, “Registry” | The Data Controllers’ Registry Information System maintained by the Personal Data Protection Authority |
“Data Processor” | A real or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. |
“Data Controller” | A real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. |
3. GENERAL PRINCIPLES IN THE PROCESSING OF PERSONAL DATA
The Company complies with the “General Principles” that must be adhered to when processing personal data, as listed in Article 4 of the Personal Data Protection Law:
3.1. Processing in Compliance with Law and Fairness Rules
The Company manages personal data processing activities in accordance with legal norms, universal legal principles, and rules of fairness; it informs the relevant individuals appropriately to ensure transparency of the processes; and it considers the interests and reasonable expectations of the data subjects during these processes. Within this scope, the Company prevents outcomes from arising in the data processing activities that the data subject does not expect and should not be expected to anticipate.
3.2. Ensuring Personal Data is Accurate and Updated When Necessary
Personal data is generally processed based on the declaration of the relevant individuals and accepted as accurate as declared. The Company exercises reasonable care and attention to ensure that personal data within its legal entity is kept accurate and up-to-date, and does not contain incorrect information. If changes occur in the processed personal data and are communicated to the Company by the relevant individual, the Company ensures the establishment of the necessary administrative and technical mechanisms to update the personal data in the relevant database.
3.3. Processing for Specific, Explicit, and Legitimate Purposes
The Company clearly defines legitimate and lawful purposes for data processing before initiating any personal data processing activity and processes personal data only as much as necessary in connection with the Company’s products and services.
3.4. Processing That Is Relevant, Limited, and Proportionate to the Purpose
Personal data is processed by the Company in a manner that is relevant, limited, and proportionate to the purposes defined and communicated to the data subject. The Company ensures a reasonable balance between the data processing activity and the intended purpose, taking care that the processing is sufficient to achieve the purpose.
3.5. Retention for the Period Prescribed by Relevant Legislation or as Necessary for the Purpose of Processing
The Company has established retention periods, destruction schedules, and the technical and administrative measures to be applied for the preservation of personal data and acknowledges its responsibility to ensure the storage of personal data in accordance with these principles. Accordingly, personal data is retained for the period prescribed by applicable legislation or as long as required by the purpose of processing. However, when the prescribed period ends or the purposes of processing have been fully fulfilled, the Company deletes, destroys, or anonymizes the personal data. As the Data Controller, if there is no legal retention period specified by relevant legislation, the Company retains personal data only for the duration necessary to fulfill the processing purpose.
These principles apply regardless of whether the Company processes personal data based on explicit consent or other legal grounds for data processing. At this point, the Company processes personal data in accordance with the conditions for data processing and general principles, and also fulfills its obligation to inform the relevant individuals.
4. INFORMATION ON THE PROCESSING OF PERSONAL DATA
The Company has defined, in a modifiable and updatable manner, the categories of personal data processed, the groups of data subjects whose data is processed, the purposes of processing personal data, the legal grounds for processing, the channels through which personal data is collected, the recipient groups to whom data is transferred, the retention periods and destruction processes for expired personal data, and the security measures taken to ensure the security of personal data throughout these processes. All this information is summarized, updated, and publicly published on the VERBİS registry system (verbis.kvkk.gov.tr) accessible via the Institution’s website and is regularly updated on the relevant platform.
4.1. CATEGORIES OF PERSONAL DATA
The Company has categorized the personal data it processes to ensure compliance with legal regulations and to properly manage personal data processing and protection processes.
All personal data categories are fundamentally organized under two main categories: “Personal Data” and “Special Categories of Personal Data.”.
The categories and definitions of all personal data processed within our Company are as follows:
PERSONAL DATA CATEGORY | DEFINITION |
Identity Data | Data containing information related to a person’s identity; such as full name, Turkish Republic identification number, mother’s and father’s names, mother’s maiden name, date of birth, place of birth, marital status, signature, and similar information. |
Communication Data | Address, email address, contact address, registered electronic mail address (KEP), phone number, etc. |
Personal Records Data | Payroll information, disciplinary investigation records, employment entry-exit documents, resume information, performance evaluation reports, etc. |
Legal Process Data: | Adli makamlarla yazışmalardaki bilgiler, dava dosyasındaki bilgiler gibi |
Customer Transaction Data | Call center recordings, invoice, promissory note, check details, teller receipts, order information, request information, etc. |
Transaction Security Data | IP address information, website login/logout data, password and access credentials, etc. |
Financial Data | Bank details, IBAN number, financial performance data, credit and risk information, asset information, etc. |
Professional Experience Data | Diploma information, attended courses, in-service training data, certificate information, etc. |
Visual and Audio Recording Data | Photographs, videos, visual and audio recordings, etc. |
Other (Vehicle Information) | Used vehicle, mileage, license plate, vehicle type information, etc. |
Other (Body Measurements) | Clothing size, shoe size information, etc. |
Other (Proximity Information) | Proximity data. |
SPECIAL CATEGORIES OF PERSONAL DATA | DEFINITION |
Health Information | Information related to disability status, blood type, personal health data, etc. |
Criminal Convictions and Security Measures | Information regarding criminal convictions, security measures, etc. |
Biometric Data | Palm print data, fingerprint information, retina scans, facial recognition data, etc. |
4.2. GROUPS OF DATA SUBJECTS WHOSE PERSONAL DATA IS PROCESSED
The groups of data subjects whose personal data is processed within our Company and their definitions are publicly notified and published on the official website of the Authority in the VERBIS system (verbis.kvkk.gov.tr).
4.3. PURPOSES OF PERSONAL DATA PROCESSING
The Company processes personal data appropriately and in a limited manner based on at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, and in accordance with the “General Principles of Personal Data Processing” set forth in Article 4 of the Law mentioned above. Pursuant to Article 10 of the Law and secondary legislation, the Company informs the relevant data subject groups separately about the categories and purposes of data processing through the respective data disclosure notices. The purposes for which the Company processes personal data are declared in the Data Controllers Information System (VERBIS) and are publicly accessible on the system (link: verbis.kvkk.gov.tr).
4.4. CONDITIONS FOR PROCESSING PERSONAL DATA
The Company processes personal data either based on the explicit consent of the relevant data subject or in compliance with one or more of the other legal grounds for data processing. In cases where the processed personal data qualifies as special category personal data, the conditions specified under the “Processing of Special Category Personal Data” section of this Policy shall apply.
Existence of the Data Subject’s Explicit Consent
This data processing condition applies when the data subject has given explicit consent based on being informed and of their own free will regarding a specific matter. The explicit consent obtained from the data subject is retained by the Company in a provable manner for the legally required duration under the Personal Data Protection legislation (KVK). In the presence of any of the personal data processing conditions listed below, personal data may be processed without the explicit consent of the data subject.
Explicit Provision in Laws
This data processing condition applies when there is a clear provision in the relevant law regarding the processing of that personal data. Some of the applicable laws and regulations that serve as legal bases include:
Labor Law,
Social Insurance and General Health Insurance Law,
Occupational Health and Safety Law,
Tax Procedure Law,
Individual Pension Savings and Investment System Law,
Regulation on Occupational Health and Safety Services,
Regulation on the Duties, Authorities, Responsibilities, and Training of Workplace Physicians and Other Health Personnel,
Regulation on Procedures and Principles of Occupational Health and Safety Trainings.
Inability to Obtain Explicit Consent Due to Factual Impossibility
When the data subject is unable to give consent due to factual impossibility or when their consent is not legally valid, and processing their personal data is mandatory to protect the life or physical integrity of the data subject or another person, the personal data is processed based on this data processing condition..
Direct Relation to the Establishment or Performance of a Contract
If the processing of personal data is necessary for the establishment or performance of a contract to which the data subject is a party, the processing takes place based on this data processing condition.
Necessity for the Data Controller to Fulfill Legal Obligations
Şirketin If processing personal data is necessary for the Company to fulfill its legal obligations, the processing is carried out based on this data processing condition.
Personal Data Made Public by the Data Subject Themselves
Personal data that has been made public by the data subject themselves is processed only within the scope of the purpose of public disclosure.
Processing Data is Necessary for the Establishment, Exercise, or Protection of a Right
If processing personal data is necessary for the establishment, exercise, or protection of a right, the personal data of the relevant person is processed based on this data processing condition.
Processing Data is Necessary for the Legitimate Interests of the Data Controller
Provided that it does not harm the fundamental rights and freedoms of the relevant person, if data processing is necessary for the legitimate interests of the Company, processing is carried out based on this data processing condition.
4.5. CONDITIONS FOR THE PROCESSING OF SPECIAL CATEGORY PERSONAL DATA
The Company processes special category personal data by complying with additional measures announced by the Personal Data Protection Board, taking all necessary administrative and technical precautions, and provided that at least one of the following data processing conditions is met:
The explicit consent of the data subject,
Being explicitly stipulated in the laws,
In cases where the data subject is unable to express consent due to factual impossibility or the consent lacks legal validity, and processing is necessary for the protection of the life or physical integrity of the data subject or another person,
Related to personal data made public by the data subject and in accordance with the will of disclosure,
Processing is necessary for the establishment, exercise, or protection of a right,
Necessary for persons under confidentiality obligations or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management, and financing of health services,
Necessary for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,
processing may be carried out under these conditions..
4.6. DATA COLLECTION CHANNELS
The Company obtains personal data from physical and electronic environments in accordance with legal regulations, the purposes set forth in this Policy, and the relevant processing conditions. The environments and channels through which personal data are collected are as follows:
PHYSICAL DATA COLLECTION | ELECTRONIC DATA COLLECTION |
Physical Mail | |
Printed Forms | Used Software and Applications (SAP, Meyer System, SuccessFactors, Hudson System, Mobilexpense Platform, Oracle…) |
Due to the development and changes in business processes and technological advancements, these channels may vary. In accordance with the principle of transparency, any such changes will be reflected through updates to this Policy.
4.7. TRANSFER OF PERSONAL DATA
The Company transfers personal data and special category personal data to third parties in accordance with the provisions set forth in Articles 8 and 9 of the Law, based on lawful personal data processing purposes, and by taking all necessary administrative and technical measures.
4.7.1. DOMESTIC TRANSFER
The Company acts in accordance with the law in its data transfer activities. Personal data is transferred to third parties only to the extent required by the service and purpose of the transfer. The “Data Processor” recipient groups are appropriately instructed regarding data security through data transfer agreements.
RECIPIENT GROUPS | EXAMPLES OF TRANSFER PURPOSES |
Authorized Public Institutions and Organizations | To fulfill legal obligations, personal data may be transferred to institutions such as Social Security Institution (SGK) and similar organizations. |
Group Companies | Limited to ensuring the execution of commercial activities requiring participation of OYAK Group Companies. |
Supplier (Product / Service Provider) Companies | Transferred for the purposes of procurement of products/services, maintaining business continuity, and establishing and performing contracts. |
Banks | Transferred for the execution of financial processes. |
Independent Audit Firms | Transferred for conducting audit and ethical activities. |
4.7.2. TRANSFER ABROAD
The Company may transfer personal data abroad only in accordance with the provisions set forth in Article 9 of the Personal Data Protection Law (KVK Kanunu) and by taking the necessary administrative and technical measures. Such transfer is possible under one of the following conditions:
To foreign countries declared by the Authority as having adequate protection, or
In the absence of adequate protection, provided that appropriate safeguards stipulated by the Law are ensured, without requiring the explicit consent of the data subject, or,
In the absence of adequate protection and appropriate safeguards, the transfer abroad may be carried out only under limited cases specified in paragraph 6 of Article 9 of the Law.
Examples of recipient groups to whom personal data is transferred and their sharing purposes are as follows:
RECIPIENT GROUPS | EXAMPLES OF TRANSFER PURPOSES |
Supplier (Product / Service Providers) Companies | Personal data is transferred for the purposes of product/service procurement, ensuring business continuity, and the establishment and fulfillment of contracts. |
The recipient groups to whom personal data is transferred, as well as the categories of personal data transferred abroad, may vary. These changes and updates are publicly announced and published on the Institution’s website at the VERBİS (verbis.kvkk.gov.tr) platform.
4.8. STORAGE AND DESTRUCTION OF PERSONAL DATA
As the Data Controller, the Company has determined the retention periods, destruction intervals, and the technical and administrative measures to be implemented for the preservation of personal data, and has declared these periods separately for each personal data category in VERBİS. The Company is aware of its obligation to ensure the preservation of personal data in accordance with these principles.
Within this scope, pursuant to the Personal Data Protection Law (KVK Law), personal data is retained for the period prescribed by the relevant legislation or for the duration necessary for the purposes for which they are processed. These periods have been established, and once these periods expire or the purposes for which the data were processed are completely fulfilled, the relevant personal data are deleted, destroyed, or anonymized at the end of the periodic destruction intervals determined in the Policy, in accordance with the “Regulation on the Deletion, Destruction or Anonymization of Personal Data.” The data may also be anonymized for analytical purposes. You may request further information via the contact details provided in this KVK Policy.
5. SECURITY MEASURES REGARDING PERSONAL DATA
The Company takes technical and administrative measures, considering technological possibilities and implementation costs, to ensure the lawful processing of personal data. The technical and administrative measures taken to protect personal data are applied with particular care and additional precautions for special categories of personal data. Necessary audits are conducted periodically at the highest level within the Company, and these security measures are also specified in VERBİS.
The Company takes all appropriate security measures to ensure that personal data is processed only within the designated purposes and to reduce risks such as malicious use, unauthorized access, transfer, destruction, or alteration of personal data. These security measures also cover other precautions taken regarding issues such as the transfer of personal data abroad.
The personal data processed by the Company is confidential, and the Company strictly adheres to this confidentiality. Only individuals authorized by the Company have access to personal data. Within this framework, compliance of software with standards, careful selection of third parties, and adherence to the Personal Data Protection Policy (KVK Policy) within the Company are ensured.
Despite the Company taking necessary data security measures, in the event that personal data is damaged or accessed by unauthorized third parties as a result of attacks on the Company’s system, the Company will immediately take action to remedy the breach and minimize the damage to the data subject. The Company will promptly notify the relevant individuals and the Personal Data Protection Board (Kurul) about the incident and take the necessary precautions.
6. OBLIGATION TO INFORM
In accordance with Article 10 of the Personal Data Protection Law (KVK Kanunu) and the provisions of the “Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform,” the Company informs the relevant individuals through appropriate disclosure texts about the identity of the data controller, the methods by which their personal data is collected, the legal basis for processing, the purposes of processing, the recipients and purposes for which personal data is transferred, and the rights that the relevant individuals have regarding the processing of their personal data.
7. RIGHTS OF PERSONAL DATA OWNERS
According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of their personal data. In this context, the rights of the relevant individuals over their personal data are listed below as per Article 11 of the Personal Data Protection Law :
To learn whether their personal data is being processed,
To request information if their personal data has been processed,
To learn the purpose of the processing of their personal data and whether it is used in accordance with that purpose,
To know the third parties to whom their personal data has been transferred, domestically or abroad,
To request correction of their personal data if it is processed incompletely or incorrectly,
To request deletion or destruction of their personal data within the conditions set out in Article 7 of the KVK Law,
To request that the deletion, destruction, or correction be notified to third parties to whom the personal data has been transferred,
To object to the emergence of a result against the data owner through the exclusive analysis of the processed data by automatic systems,
To request compensation for damages in case of loss due to the unlawful processing of their personal data in violation of the KVK Law.
The relevant person can submit their requests within the scope of the rights mentioned above in writing to the Company’s registered electronic mail (KEP) address, using a secure electronic signature, mobile signature, or an electronic mail address previously notified to the Company and registered in the Company’s system. The relevant person may also use the “Data Subject Application Form” available on the Company’s website for their application. The application must include:
Full name and signature if the application is written,
Turkish Republic Identification Number for Turkish citizens; nationality, passport number, or identification number (if any) for foreigners,
The residential or workplace address for notification purposes,
If available, the electronic mail address, phone number, and fax number for notification,
The subject of the request, and
Additionally, relevant information and documents related to the subject must be attached to the application. Applications will only be considered if submitted in Turkish. For third parties to submit an application on behalf of the relevant person, a notarized power of attorney issued by the relevant person in favor of the applicant must be provided.
If the relevant persons submit their requests regarding the rights listed above to the Company in accordance with the application procedures specified in this Personal Data Protection Policy and in compliance with the “Communiqué on Procedures and Principles of Application to the Data Controller,” the Company shall finalize the request free of charge as soon as possible and no later than 30 (thirty) days from the application date, depending on the nature of the request. However, if the process requires an additional cost, the Company may charge a fee as determined by the Authority’s tariff.
For written applications, the application date is considered the date the document is delivered to the data controller or its representative. For applications made through other methods, the application date is considered the date the application reaches the data controller.
8. RELEVANT DOCUMENTS
The Company specifies the implementation principles it has established for the protection of personal data in its policies and publishes these policies in publicly accessible environments to the extent relevant. All company policies and regulations prepared on this subject form an integrated whole and complement each other. Through this approach, the Company aims to ensure transparency and accountability by informing the relevant persons about personal data processing activities.
9. ENFORCEMENT AND AMENDMENTS
This Policy is published on the Company’s website and becomes effective as of the publication date. The Company may make changes to this Policy at any time. Such changes take effect on the date the revised Policy is published.
10. OUR INFORMATION AND CONTACT
If you have any questions about this Personal Data Processing and Protection Policy or our approach regarding the processing and protection of your personal data, or if you wish to exercise any of the rights specified in the Personal Data Protection Law, you can obtain information through any of the following channels:
Samaş Sanayi Madenleri Anonim Şirketi
Address: Gaziosmanpaşa Mahallesi John F. Kennedy Caddesi No: 155 Çankaya / ANKARA
Phone: +90 312 457 99 30
E- mail: info@samas.com.tr