All terms and expressions used in this notice will have the meanings ascribed to them in the Personal Data Protection Law No. 6698 (the “LPPD“) and other legislation. In this notice, the term “you” refers to your party personally. The definitions of the terms and abbreviations set forth in the Policy are provided in ANNEX-Abbreviations section.
Please note that if you do not accept the Policy, you should not transmit your personal data to our party. If you choose not to communicate your personal data to our party, we may not be able to provide services to your party, respond to your requests or ensure full functionality of our services, in some cases.
We would like to remind you that it is at your responsibility to ensure that the personal data which you communicate to our Company are accurate, complete and up-to-date. Additionally, if you share data which pertain to other persons with our party, you will be responsible for the collection of such type of data, according to the local legal requirements. In such case, it will purport that you have obtained all necessary permissions from such third parties for our collection, processing, use and disclosure by our party of information pertaining to them, and our Company will not held responsible therefor.
We have started powder coating production in 1988, and we have been carrying on our operations under the name Pulver since 1991. Having embarked on the powder coating journey to touch and color the lives of customers, we maintain our global activities as Turkey’s largest and Europe’s second-largest powder coating manufacturer. We make a difference in the powder coating industry of Turkey, which is Europe’s leading manufacturer and importer of powder coatings. Thanks to our global export network, we deliver our quality and environment-friendly surface coating solutions to Russia, North Africa, the Middle East, and Turkic republics as well as Europe.
We have played an important role in expanding the industry volume since our establishment. We continue our production by building up strength on a day-to-day basis. At Pulver, we meet about 30% of Turkey’s powder coating production while exporting 50% of our total production to 40 countries. We have ranked first as Turkey’s top coating exporter for many years now.
We manufacture for various industries as one of the most sought-after brands in electrostatic powder coatings. Our product range consists of general industrial powder coatings, white goods, automotive, and architectural powder coatings. We offer a wide range of products and colors to all our customers.
We attach importance to technical infrastructure and high performance as well as quality, versatility, and sustainable production. As an industry-leading brand, we closely follow technology developments and offer high-quality surface coating solutions thanks to our innovative studies in our R&D laboratories. Besides, we value aesthetic appearance and provide the preferred coating colors in our wide product range by keeping track of the color trends.
It is notably important for us to fully meet the demands of our customers. Accordingly, we design the desired colors, texture, and surface effects tailored to the needs of our customers in addition to standard production.
We attach importance to customer satisfaction producing fast and sustainable solutions with our pre-sale and after-sales expert technical service. Today, we serve as a sought-after company in the powder coating industry with our strong sales network for our customers located in different countries particularly Turkey and Europe.
On this path to color life, we beautify products with surface coating solutions in compliance with international standards and continue our work to fulfill your requests.
The terms of “us” or “Company” or “Pulver” in this Policy concern the processing of personal data by Pulver Kimya Sanayi ve Ticaret A.Ş., operating at the address of Gebze Organize Sanayi Bölgesi (GOSB) Tembelova Alanı 3200 Sokak No:3201 Gebze 41400 Kocaeli/Türkiye and registered at Istanbul Trade Registry Directorate with the number of 276525 (“Pulver”), as the Data Controller.
OUR PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
All personal data which are processed by our Company, are processed in accordance with the LPPD and the applicable legislation. The fundamental principles and practices which are followed while processing your personal data as per article 4 of the LPPD are explained below:
- Data Processing in accordance with the Law and Principle of Good Faith: Our Company acts in accordance with the principles introduced with the legal regulations and general trust and the principle of good faith rules while processing personal data. Within this scope, our Company considers the proportionality requirements in the processing of personal data and does not use the personal data other than as necessitated for the purpose.
- Ensuring the Personal Data to be Accurate and if Necessary, Up-to-Date: Our Company ensures that the personal data which are processed thereby are accurate and up-to-date, by taking the fundamental rights of the personal data subjects and our Company’s legitimate interests into account.
- Data Processing for Specified, Explicit and Legitimate Purposes: Our Company determines the purpose for legitimate and lawful personal data processing, in a specified and explicit manner. Our Company processes personal data in connection with the products and services offered thereby, and to the extent so required therefor.
- Being Relevant, Limited and Proportionate to the Purposes for Processing: Our Company processes personal data in a manner which is suitable for the materialization of the specified purposes and refrains from processing personal data which are not connected therewith or which are not necessitated.
- Being Stored Only for the Time as Prescribed in the Applicable Legislation or as Necessitated by the Purposes for which They are Processed: Our Company maintains personal data solely for the period which is prescribed in the applicable legislation or for the purposes for which they are processed. Within this scope, our Company initially determines whether any period is prescribed in the applicable legislation for the retention of personal data, and if any period is designated, adheres to such period, and if any period is not designated, stores personal data for a period which is required the purposes for which they are processed. Personal data are erased, destructed or anonymized by our Company at the end of the retention period or if the reasons necessitating their processing cease to exist.
CATEGORIES OF DATA SUBJECTS
The categories of data subjects other than employees (including interns and subcontractor employees) whose personal data are processed by our company are enumerated in the chart below. A separate policy on the processing of personal data of our employees has been drafted and implemented within the Company. Persons who fall outside the scope of the following categories may also submit requests to our Company pursuant to the LPPD, and their requests will also be considered accordingly.
|DATA SUBJECT CATEGORY||DESCRIPTION|
|Customer||Natural or legal persons who/which purchase our products|
|Potential Customer||Natural or legal persons who/which made a request for benefiting from purchasing our products or who/which are interested in our products or who/which are evaluated, in accordance with the customary practices and principle of good faith, to be likely to be interested therein.|
|Visitor||Natural persons who have entered our physical facilities (such as offices) owned or organized by our Company for various purposes or who have visited our websites|
|Third Person/Party||Third party natural persons who are associated with the aforementioned persons in order to ensure the security of the commercial transactions between our Company and such persons or to protect the rights thereof or to derive benefits thereto (e.g. sureties, family members and relatives) or all other natural persons whose personal data are required to be processed by our Company for a particular purpose, despite not being expressly stated hereunder (i.e. former employees)|
|Candidate/Prospective Employee/Intern||Natural persons who have made a job application, through any means, or made their resumés or relevant information available for examination by our Company|
|Group Company Employee||Employees and representatives of PEC Global grup companies, of which our Company is a member, that are located in Turkey|
|Employees, Shareholders and Officers of the Organizations with which we Cooperate||Natural members who work at the organizations with which our Company maintains any business/employment relationship (including but not limited to business partners, suppliers etc.) as well as the shareholders and officers of such organizations|
WHEN DO WE COLLECT PERSONAL DATA ABOUT YOU?
We collect your personal data primarily when:
- you purchase or use our products;
- you sell goods or provide services to our party;
- you subscribe to our newsletters or chose to receive our marketing messages;
- you contact us via e-mail or phone or other communication means such as online messaging to communicate your complaints or feedback;
- you apply for a job at our Company;
- you attend our Company events, seminars, conferences and organizations;
- you contact us for any purpose such as potential customer/supplier/business partner/sub-employer.
We will only process the personal data, which we obtain in the foregoing cases, in accordance with this Policy.
WHICH PERSONAL DATA DO WE PROCESS ABOUT YOU?
The personal data which we process about you depend on the type of business relationship between us (e.g. customer, supplier, business partner etc.) and the method of your contact with our party (e.g. via phone, e-mail, printed documents etc.).
Primarily, our methods of processing of personal data concern the situations in which you attend our business events or surveys or otherwise interact with our party, by phone or via e-mail. In this context, the personal data which we process about you may be specified under the categories below:
|Identification details||Information included in the identification documents such as name, surname, title, date of birth etc.|
|Contact details||E-mail, phone number, address|
|Photos and/or videos which may identify you||Photos and video images and audio data which are processed for security purposes when you visit our Company or participate in events which are organized by our Company|
|Financial Data||Bank account data, invoice/billing information|
|Other details which you voluntarily decide to share with Pulver||Any personal data which you share at your own discretion, and any feedbacks, opinions, requests and complaints, evaluations, comment and pertinent evaluations, uploaded files, areas of interests, and information which you submit to us for our detailed review process prior to the establishment of a business/employment relationship with your party|
|Electronic data which are collected automatically||When you visit or use our website, subscribe to our newsletters, and interact with us through other electronic means, we may collect electronic data sent to us by your computer, mobile phone or other access device (e.g. the country, city in which you are located, device hardware model, IP address, operating system version and settings, your time and duration of using our digital channel, links you click etc.)|
|Legal action or compliance details||Your personal data, audit and inspection data which are processed within the scope of determination, follow-up of our legal receivables and rights and discharge of our debts and compliance with our legal obligations and policies of our Company and personal data which are processed for the issuance of invoices pertaining to the stores for the purpose of the conducting of customer billing processes|
|Data pertaining to Corporate Customers/Suppliers||Information gathered with respect to the data subjects such as employees, signatories at customers/suppliers or data subject customers/suppliers in consequence of the operations conducted by our business units/departments within the scope of the sale of our products|
|Incident management and security details||Information and evaluations about the incidents which have the potential to affect our Company’s employees, managers or shareholders; vehicle license plate and vehicle information and transportation and travel details|
|Health Information||Health reports|
|Professional Information||Education/background, certificate information|
|Personal Information||Retirement information, SSI (Social Security Institution) statement of employment|
|Personal data collected from other resources||To the extent permitted by applicable laws and regulations, we may also collect your personal data through public databases, social media platforms and methods and platforms through which our business partners collect personal data on our behalf. For example, prior to the establishment of a business/employment relationship with you, we may carry out a search on publicly available sources about your party in order to ensure the technical, administrative and legal security of our commercial activities and operations. In addition, it may also be possible for you to communicate certain personal data pertaining to third parties (e.g. personal data pertaining to sureties, companions, family members). In order to manage our technical and administrative risks, we may process your personal data through methods that are generally accepted in these areas in accordance with generally accepted legal, commercial practices and principle of good faith.|
THE PROCESSING OF PERSONAL DATA PERTAINING TO PROSPECTIVE EMPLOYEES
In addition to the personal data categories which are enumerated hereinabove, we also collect personal data such as the school of graduation, previous work experience, disability, etc. pertaining to the Prospective Employees in order for us to grasp their experiences and qualifications; evaluate their eligibility for the open positions; verify the accuracy of the information provided, if so required; and conduct research about the candidate by contacting the third parties whose contact information have been provided thereby; to contact the candidate regarding the job application process; to carry out the recruitment if the candidate is deemed as suitable for open positions; to ensure compliance with legal regulations; and to implement our Company’s recruitment rules and human resources policies.
The personal data pertaining to the prospective employees are processed through the job application form available in printed form and on electronic mediums, our Company’s electronic job application platform, applications sent to our Company either physically or via e-mail, recruitment and consultancy companies, interviews held on-on-one and electronically, the checks carried out about the prospective employee by our Company, recruitment tests conducted by the human resources experts to evaluate the eligibility of the candidate during the recruitment process.
Prospective employees are informed in detail in accordance with the LPPD in a separate document before submitting their personal data when making a job application, and their explicit consent is attained for the required personal data processing activities.
THE PROCESSING OF PERSONAL DATA PERTAINING TO THE VISITORS OF OUR OFFICES
Our Company processes personal data for the purposes of ensuring the physical security of our Company, our employees and visitors, and inspecting the workplace rules during the entrance and exit processes of the visitors of our premises. Within this scope, the names/surnames and Turkish ID numbers of our visitors are confirmed from their ID cards, and noted down in the guest book in order to monitor visitor entrances and exits. However, the visitor’s ID card is not kept during the time when (s)he is at the Company premises, and is returned to the visitor after the referred record is entered in the guest book.
Prior to the attainment of the information, visitors are informed of the processing of personal data via a privacy notice which is placed at the security entrance. However, since our Company has a legitimate interest in this respect, the visitor’s explicit consent is not taken as per art. 5(2)-(f) of the LPPD. Such data are only kept physically in the guest registration book and are not transferred to any other media, unless there is a situation which casts suspicion to pose a threat to the security of the Company. Nevertheless, these information may be used in circumstances such as the prevention of a crime and ensuring the security of the Company.
In addition to the foregoing, internet access is provided to our visitors who make such a request, during the time they spend at our Company premises, for ensuring the security of our Company and for the purposes set forth herein. In such case, the log records pertaining to your internet access are maintained in accordance with the Law No. 5651 and the mandatory provisions of the legislation enacted thereunder, and such records are processed solely if so required by competent public institutions and organizations or to fulfill our legal obligation during the internal audit processes to be carried at our Company.
The log records which are obtained accordingly are only accessible to a limited number of Pulver employees. The Company employees, who have access to such records, access them in order to use such upon requests received from the competent public institutions and organizations or during audit processes and share such only with legally authorized persons.
THE PROCESSING OF PERSONAL DATA THROUGH CLOSED CIRCUIT CAMERA RECORDING
Security cameras are used in order to ensure the security of our Company and our facility, and personal data are thereby processed. Within the scope of the monitoring
activity with security cameras, our Company intends to improve the quality of the services offered; to ensure the security of the Company’s physical premises and the life and property of the people therein; to prevent abuses and to protect the legitimate interests of the data subjects.
The personal data processing activities which are carried out by our Company with security cameras are performed in accordance with the Constitution, the LPPD, the Law on the Private Security Services No. 5188 and the applicable legislation. Monitoring in a manner which might result to an interference with the privacy of persons in excess of the security objectives should not be undertaken. Within this scope, daa subjects are informed with warning signs which are placed in the common areas where CCTV recordings are made. However, since our Company has a legitimate interest in keeping CCTV records, the explict consents thereof are not obtained. In addition, as per art. 12 of the LPPD, technical and administrative measures are taken by the Company to ensure security of personal data which are obtained as a result of the CCTV monitoring activity.
Moreover, a procedure on the areas where CCTV cameras are installed, the areas for monitoring with cameras, the retention period regarding the records has been prepared by and implemented at our Company. The referred procedure is taken into account prior to the installation of any CCTV cameras, and the cameras are installed afterwards. The installation of cameras in a manner which exceeds the security objectives and the privacy of persons is not permitted. The images of CCTV cameras is only accessible to a limited number of Company employees, and such authorizations are regularly reviewed. The employees who have access to such records are required to sign a letter of undertaking which stipulates that they will protect personal data in accordance with the law.
Image recording is undertaken with a total of 60 security cameras which are installed at the entrance doors, exterior façade of the building, manufacturing areas, dining hall, service areas of the floor corridors of our Company’s offices, and for ensuring the security of the building, and the recording operation is inspected by the security unit/department.
FOR WHICH PURPOSES DO WE USE YOUR PERSONAL DATA?
The purposes for which we use your personal data varies depending on the type of business relationship between us (e.g. customer, supplier, business partner etc.). Primarily, your personal data are processed for the purposes which are specified herein below. The personal data processing activities related to Prospective Employees are explained under the section of “The Processing of Personal Data pertaining to Prospective Employees”.
Our Purposes for Processing Personal Data
|Evaluation of potential suppliers/business partners||Conducting of our review and conflict of interests process as per our risk rules|
|Establishment and management of customer relations, conducting and conclusion of the agreement process with our suppliers/business partners||Carrying out of the sales operations of our Company; submission of quotations regarding our products; carrying out of necessary tests for our customers wishing to try our products before sale; supply of goods, invoicing (including e-invoice and return invoice operations), follow up of the invoices for our customers and suppliers which do not fall within the scope of e-invoice, over the e-archive system; conclusion and performance of agreements; ensuring post-contract legal transaction security; carrying out of tests on products after sale and the remedy of existent problems, if so required; development of our services, evaluation of new technologies and applications/practices; determination and implementation of the commercial and business strategies of our Company; management of operations (requests, quotations, evaluation, orders, budgeting, agreement); arrangement of transportation of goods; management of financial operations, and carrying out of reconciliations with our suppliers and customers within this scope; administration of financial affairs; carrying out of cheque, promissory note and pledge operations; offering of alternatives to legal/natural persons with which/whom commercial relationships are maintained; carying out of existing customer and dealer visits; archiving of agreements, conducting of translation works in cases so required by our commercial relationships; carrying out of damage accounting within the scope of insurance operations; notification of the insurance company of damages, and within this scope, the materialization of expert examinations and the receipt of payments; control of the conformity of supplier companies with the quality standards, and the realization of necessary inspections in this respect; carrying out of documentation studies regarding quality standards; arrangement of the travels of the engineers and technical personnel who visit Pulver for business trips; arrangement of the travels of our customers and dealers; granting of in-factory work permits; carrying out of collaborations with universities within the scope of R&D activities; organization of R&D training|
|Conducting of the direct marketing processes||Sending of marketing notifications regarding our services via e-mail or by telephone; conducting of satisfaction surveys or evaluation of and responding to your opinions, complaints and comments which you communicate through social media, online platforms and other media; provision of information of our customers regarding company innovations; conducting of marketing activities with participants at the events to be organized; sharing of the photographs taken at the fairs within the scope of social media activities; holding of interviews and provision of information/notice on meetings within the scope of the execution of press activities; responding to the customers who request catalogues over mobile applications or the internet; carrying out of the e-mailing activities following our participations at fairs|
|Communication and support (upon your request)||Responding to any requests for information about our services; provision of support for requests received through our communication channels, maintenance of our records and updating of our database (in connection with the issuance of new customer and new dealer cards); getting in contact with the customers and suppliers at fairs attended; reciprocal exchange of business cards; coming up with solutions regarding the complaint reports of our sales or quality control units/departments, and reporting of the actions taken|
|Compliance with legal obligations||Carrying out of tax and insurance processes, fulfillment of our statutory obligations arising from applicable legislation, including primarily the Law No. 5651 and other legislation, the Law on the Regulation of Electronic Commerce No. 6563 and other legislation, Turkish Criminal Code No. 5237 and the Law on the Protection of Personal Data No. 6698; execution of the necessary processes within the scope of applicable laws and regulations such as the carrying out formalities before public authorities; the obligations to keep records and provide information, compliance and audits, investigations and inspections of public authorities; follow-up and finalization of our legal rights and claims, and the disclosure of data upon the request of public authorities; execution of the relevant processes within the scope of the specified needs and requirements in order to ensure the fulfillment of the statutory obligations which are prescribed in the LPPD as required or mandated by regulatory and supervisory authorities, and legal regulations|
|Safeguarding of the Company interests and ensuring its security||Carrying out of any necessary audit activities for the protection of our Company’s interests and benefits; conducting of the conflict of interest checks; ensuring the legal and commercial security of the persons who/which are in business relationship with our Company; keeping of the CCTV records for the protection of the company devices and assets; adoption of the technical and administrative security measures; carrying out of the necessary works for the development of the services which we offer; implementation and supervision of workplace rules; planning and execution of social responsibility activities; protection of the commercial reputation of PEC Global group companies; reporting of all incidents, accidents, complaints, losses and thefts in the premises; responding to and taking of necessary measures against them; communication of the rules to be followed for the dangerous situations which may arise during the maintenance and repair works, and measuring of the professional competencies of the subcontractors; ensuring the order of the company employees’ entries to and exits from the premises; the attainment of the necessary information for security purposes; carrying out of necessary quality and standard audits or performance of reporting and other obligations which are laid down under the laws or regulations; evaluation of the suitability of the admissions of the suppliers to the site|
|Planning and execution of the Company’s commercial activities||Carrying out of communication, market research and social responsibility activities, purchasing operations conducted out by our Company in line with the purpose for the determination, planning and implementation of our Company’s short, medium and long-term commercial policies|
|Reporting and auditing||Ensuring communication with PEC Global group companies which were incorporated in Turkey, conducting necessary activities, internal audit and reporting processes|
|Protection of rights and benefits||Defending the Company against legal claims such as lawsuits, investigations etc., mediation, execution of the judgements of legal and public lawsuits|
HOW DO WE USE YOUR PERSONAL DATA FOR MARKETING PURPOSES?
In principle, we always obtain your consent to process your personal data within the scope of marketing activities since marketing activities are not considered fall under the exceptions which are regulated in art. 5(2) and art. 6(3) of the LPPD. Our company may regularly send you promotional communications regarding our products and events. Such promotional communications may be sent to you through different channels such as e-mail, phone, SMS text messages, post and third-party social networks.
In order to provide you with the best personalized experience, these communications may sometimes be adapted to your preferences (for instance, when you specify them, according to the results we deduce from your website visits or on the basis of the links which you click in our e-mails).
Upon your consent, we may conduct processing for providing your party with special product offers such as internet advertising, product advertising; using Cookies for such purpose, making commercial offers by taking your preferences into account, and offering special contents and other benefits with respect to sales and marketing activities to be carried out especially for you, and we may conduct processing for creating new product and service models, sending electronic commercial messages (newsletters, customer satisfaction surveys, product advertisements etc.); sending gifts and promotions, and we may carry out marketing activities for corporate communications and the organization of other events and invitations in this regard.
When so required by applicable legislation, we will ask for your permission prior to the commencement of the aforementioned activities. Furthermore, you will be given the opportunity to withdraw (suspend) your consent at any time. In particular, you can always suspend the delivery of marketing notifications by following the instructions for unsubscription which are included in every e-mail and SMS message.
If you log into an Pulver account, you may be given the option to change your communication preferences under the relevant section of our website or application. You can always contact us to suspend the delivery of marketing communications to your party (contact information are available in the section “What rights do you have regarding your Personal Data?” below).
ON WHAT LEGAL GROUNDS DO WE PROCESS YOUR PERSONAL DATA?
We process your personal data on the following grounds which are regulated in art. 5 of the LPPD, in particular, the Turkish Commercial Law No. 6102, Turkish Law of Obligations No. 6098, Tax Procedure Law No. 213, and the electronic commerce legislation:
|We process your personal data on the basis of your consent in cases in which we are required to obtain your explicit consent as per the LPPD and other legislation (Please note that in such case, you may withdraw your consent at any time)||We obtain your consent in order to carry out our marketing activities.|
|In any case which is permitted by the applicable legislation||Indication of the data subject’s name on the invoice as per art. 230 of the Tax Procedure Law|
|When it is necessary to protect the vital interests of any person||Submission of the health information of the board member who faints during a board meeting, to a physician|
|When we are required to conclude an agreement with you, perform the agreement or fulfill our obligations under an agreement||Attainment of the customers’ bank account details within the scope of a contractual relationship with customers|
|When we fulfill our legal obligations||Discharge of our tax obligations, submission to the court of the information sought by a court order|
|In cases where your personal data are made public by your party||Use of the personal data which you have made public by sending us an e-mail message for us to contact you, provision by prospective employees of their on the website where job applications are collected, or through social media channels in accordance with the purposes for which such personal data have been made public|
|Where data processing is mandatory for the establishment or safeguarding of a right, exercising our legal rights and defending against legal claims filed against us||Storage of documents constituting proof/evidence and use thereof when required|
|In cases where it is so required by our legitimate interests, provided that your fundamental rights and freedoms are not violated||Ensuring the security of our Company’s communication networks and information, carrying out our Company’s activities, detection and investigation of suspicious transactions and conducting research in order to comply with our risk rules, benefiting from storage, hosting, maintenance, support services in order to procure technical and security IT services, ensuring the efficiency of our Company’s activities and making use of the cloud technology to take advantage of the technological means|
In cases where your Personal Data are processed upon your explicit consent, we would like to underline that if you withdraw your explicit consent, you will be removed from the commercial membership program which requires processing based on such explicit consent; and that you will not any longer be able to take advantage of the benefits offered through such transactions as of the date concerned.
WHEN DO WE SHARE YOUR PERSONAL DATA?
Transfer of Personal Data in Turkey
Our Company is responsible for acting in accordance with the decisions which are prescribed in the LPPD and which are adopted by the PDP Board and applicable regulations, in particular art. 8 of LPPD regarding the transfer of personal data. In principle, personal data and special categories of data pertaining to data subjects cannot be transferred by our Company to other natural or legal persons, without the express consent of the data subject concerned.
On the other hand, personal data may be transferred, without the consent of the person concerned in cases which are stipulated in articles 5 and 6 of the LPPD. Our Company may transfer personal data to third parties in Turkey and companies within PEC Global group in accordance with the conditions stipulated in LPPD and other applicable legislation and by taking the security measures put forth in the legislation unless otherwise specified in the Law and other applicable legislation (and, if there is an agreement signed with the data subject, in such agreement as well).
Transfer of Personal Data Abroad
Our Company may transfer personal data to third parties in Turkey, or may also transfer personal data abroad; provided that data are processed in Turkey or processed or maintained outside of Turkey, including outsourcing, in accordance with the conditions laid down in the LPPD and other applicable legislation as mentioned above, and by taking the security precautions prescribed in the legislation. We transfer your personal data abroad by taking necessary technical and administrative measures through cloud computing technology in order to carry out our Company’s activities in the most efficient manner and to benefit from the means of technology. Our Company may also transfer personal data to our enterprises which are located abroad in accordance with the conditions laid down in the LPPD and other applicable legislation and taking the security measures prescribed in the legislation.
In accordance with art. 9 of the LPPD, we, in principle, seek the explicit consent of data subjects for the transfer of personal data abroad. Nevertheless, pursuant to art. 9 of the LPPD, personal data may be transferred abroad, without seeking the explicit consent of the data subject, in the event that any one of the conditions which are regulated in art. 5(2) or art. 6(3) of the LPPD exists, and provided that:
a) there is an adequate level of protection provided in the foreign country to which personal data will be transferred;
b) in cases where there is not an adequate level of protection, the
data controllers in Turkey and the foreign country concerned undertake, in writing, to provide an adequate level of protection and such is permitted by the PDP Board.
Accordingly, in the exceptional cases where the express consent is not sought for the transfer of the personal data mentioned hereinabove, in addition to the conditions for processing and transfer without consent, our Company seeks an adequate level of protection in the country to which personal data will be transferred, in accordance with the LPPD. The PDP Board will determine whether an adequate level of protection is ensured or not; and if an adequate level of protection is not ensured, data controllers in Turkey and the foreign country concerned should provide a written undertaking to ensure an adequate level of protection and the PDP Board should grant permission therefor.
Regarding the service providers with headquarters located overseas and from which we receive support, please refer to the following links for further details:
|Google Ireland Limited||Business applications (e.g. e-mail, document and calendar)||Gordon House, Barrow Street, Dublin 4, Dublin, D04 E5W5Data centers located in various regions of the world (EU, Chile, Singapore, Taiwan, USA)||https://www.google.com/about/datacenters/inside/locations/index.html|
|Microsoft Limited||Azure cloud services||Microsoft Campus, Thames Valley Park, Reading, RG6 1WG, U.K.||https://azure.microsoft.com/de-de/support/trust-center/|
Parties with which Personal Data are Shared in Turkey and Abroad
We do not share your Personal Data except for the special circumstances which are described herein. Access to your Personal Data at Pulver will be solely limited to those who need-to-know the information for the purposes which are described in this Policy. In order to achieve the purposes for the collection of your data (for detailed information on such purposes, please see the section “For which Purposes do We Use your Personal Data?”), we transfer your Personal Data to the following natural and legal persons:
- PEC Global Group Companies: Since we operate, as affiliated with PEC Global group companies, we share your data with and make such available to PEC Global group companies which are located in Turkey and with which we operate in affiliation. Your data will be shared solely with the authorized employees of the relevant PEC Global group companies. However, please kindly be informed that our general data sharing within the scope of financial reporting regarding company activities such as company profitability, efficiency is conducted in a manner not to include any personal data. In certain special cases, we may share personal data instead of sharing anonymous information with PEC Global group companies (such as sharing of claim details for the initiation of an insurance claim file). A Data Sharing Agreement regarding the transfer of your personal data between PEC Global group companies has been executed and necessary measures have been put in place.
In addition, your personal data are also shared with group companies which are located overseas and with which Pulver is affiliated, within the scope of financial reporting regarding company activities such as company profitability, efficiency. Your data will be shared solely with the authorized employees of the relevant PEC Global group companies. A Data Sharing Agreement regarding the transfer of your personal data between PEC Global group companies has been executed and necessary measures have been put in place
- Service Providers: Service providers are defined as parties with which our Company has established a business partnership for purposes such as sales, promotion and marketing of, after-sales support for our Company products while carrying out its commercial activities. Similar to many enterprises, we can work and share data with trusted third parties, such as information and communication technology providers, consultancy services providing E-system services, consulting services providers, cargo companies, travel agencies, for the performance the functions and services in the most efficient manner and in accordance with the most up-to-date technologies within the scope of certain data processing activities. Such sharing is limited to the purpose of establishing a business partnership and fulfilling the purposes of the partnership. Our Company uses cloud computing technologies in order to carry out its activities in most efficient manner and make use of technology at the utmost level and accordingly, we can process your personal data in Turkey and abroad through companies that offer cloud computing services. The marketing services support company with which we share personal data may have been incorporated overseas and within this scope, personal data may be transferred abroad pursuant to the provisions of art. 8 and art. 9 of the LPPD regarding the transfer of data abroad.
- Public Institutions and Organizations: In cases where required by laws or when we need to defend our rights, we may share your personal data with relevant official, judicial and administrative authorities (e.g. tax offices, notaries, law enforcement authorities, gendarmerie, police departments, courts and execution offices).
- Private Law Persons: Pursuant to the provisions of the applicable legislation, personal data may be shared as limited to the purposes requested by the private law persons who are authorized to receive information and documents from our Company (e.g. Occupational Health and Safety Company).
- Professional consultants and others: We share your Personal Data with other people including professional consultants such as those listed herein below for the purposes of the payment of your vested salary and fringe benefits, management of the Company’s credit card transactions and designation and allocation of a company credit card to you:
- Insurance companies
- Translation Offices
- Consulting Firm from which Customs Clearance Services are Obtained
- Transportation Companies
- Mediation Offices
- Airline Companies
- Media Agencies
- Other external professional consultants
- Other parties connected with corporate transactions: Additionally, we share your Personal Data from time to time with other parties connected with the corporate transactions, such as our service providers and consultants in Turkey and abroad, customers, sub-contractors, suppliers, business partners, within the scope of corporate transactions such as the execution of agreements, conducting of the contractual and commercial relations which are established for the carrying out of the Company’s business and activities, ensuring the efficiency and security of the company processes and the fulfillment of the commitments made, during the sale of a company or during the sale of any part of a company to another company, or in case of where the assets or shares of Pulver are subject to any other reorganization/restructuring, merger, joint venture or other sale or disposal (including those related to bankruptcy or similar transactions).
SOCIAL MEDIA PLUG-INS
Our web pages use “social media plug-ins” from social networks, including, in particular the “Share” button of the provider “Facebook” on its website facebook.com which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. The plug-ins usually feature the Facebook logo. In addition to Facebook, we use plug-ins from “Google+” (provider: Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA), “YouTube” (provider: YouTube LLC, 01 Cherry Avenue, San Bruno, CA 94066, USA), “Twitter” (provider: Twitter, Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA), “Vimeo” (provider: Vimeo Inc., 555 West 18th Street New York, NY 10011 ABD), and “LinkedIn” (provider for customers outside the U.S.A.: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland).
For privacy reasons, we have deliberately chosen not to use direct plug-ins from social media networks on our web pages. Instead, we use an alternative technical solution which allow you to determine whether and when data are transmitted to the operators of the such social networks. When you visit our web pages, no data is automatically transmitted to social networks such as Facebook, Google+, Twitter or Pinterest. Only when you actively click on the respective button, your internet browser connects to the servers of the social network concerned. This means that by clicking on elements and then on the symbol of the social network, you consent to your internet browser establishing a connection with the servers of such social network and transmitting usage data to the operator of such social network. We have no influence on the type and extent of data collected by social networks. For the purpose and scope of the data collection and the further processing and use of the data by the respective social networks as well as their respective rights and options for the protection of your privacy, please refer to their privacy policies.
Further information on data use for “Google+,” “Youtube” or “Twitter” can be found at https://policies.google.com/privacy?hl=tr&gl=de or http://twitter.com/privacy, https://vimeo.com/privacy for Vimeo, and https://www.linkedin.com/legal/privacy-policy for LinkedIn.
Facebook Corporate Products
From time to time, Pulver may use Facebook advertising services and Facebook Pixel retargeting and communication services. With Facebook Corporate Products which are utilized, Pulver intends to show advertising to you on Facebook and/or other associated platforms, and to make such advertising more related with you. The data which are collected thereby remain anonymous for Pulver, and Pulver cannot access any personal data pertaining to the individuals.
For further information on retargeting pixels and technologies provided by Facebook, please visit the following links:
To make your journey easier, we offer you the use of Google Maps to display maps and create directions. Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. These pages are labeled accordingly.
Web analysis with Google Analytics
This web page uses Google Analytics, a web analysis service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, text files which are saved on your computer and which enable analysis of your use of the website. The information about your use of this website generated by the cookie (including your abbreviated IP address) is transferred to a Google server in the United States and is saved there. Google will use this information in order to analyze your use of the web page, compile reports on web page activity for the web page operators and provide further services related to web page usage and internet usage. Google will also, where applicable, transfer this information to third parties where this is a legal requirement, or insofar as third parties process this data on Google’s behalf. Google will not link your IP address to other Google data under any circumstances. You can block the use of your data by Google Analytics by installing an add-on in your browser. You can follow the link below, which will take you to the page for Google: http://tools.google.com/dlpage/gaoptout?hl=de.
Each time you access the web page, logs are created and processed for statistical purposes, leaving the individual user anonymous:
- Referrer (web page link referring you to this page)
- Search terms (if the referrer is a search engine)
- IP analysis is undertaken to determine the country of access and the provider
- Browser, operating system, plug-ins installed and screen resolution
- Duration of visits to pages
- The specified data are processed pursuant to the statutory purposes pursuant to the LPPD:
- Ensuring the seamless connection with the web page;
- Ensuring easy use of the web page;
- Evaluation system security and stability and other administrative purposes.
We reserve the right to check these information retrospectively if we become aware of specific indications of illegal use. The data will be deleted immediately, and in any case, within six months at the latest, if they are no longer required for this purpose.
FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We store your personal data only for the period required to fulfill the purpose for which they were collected. We determine such periods separately for each business process, and if there is no further reason to store your personal data at the end of the periods concerned, we destruct your personal data in accordance with the LPPD.
When determining the destruction periods of your personal data, we consider the following criteria:
- The period accepted as a general practice in the sector in which the data controller operates within the scope of the purpose of processing of the relevant data category;
- The period for which the legal relationship which necessitates the processing of personal data in the relevant data category and which is established with the data subject will continue;
- The period for which the legitimate interest to be obtained by the data controller will be valid in accordance with the law and the principles of good faith, depending on the purpose of processing of the relevant data category;
- The period for which the risks, costs, and responsibilities which will result from the retention of the relevant data category will continue at law, depending on the purpose for the processing thereof;
- Whether the maximum period to be determined is suitable for keeping the relevant data category accurate, and when so required, up-to-date;
- The period for which the data controller is required to store personal data in the relevant data category pursuant to its legal obligation;
- The period of prescription which is ascertained by the data controller to claim any rights associated with the personal data in the relevant data category.
HOW DO WE DESTRUCT YOUR PERSONAL DATA?
Despite the processing of personal data in accordance with article 138 of the Turkish Penal Code and the regulation set forth in article 7 of the LPPD, if the reasons requiring the processing of data cease to exist, our Company will, by its own decision, or upon the request of the data subject in that regard, erase, destruct or anonymize personal data.
Within this scope, the Personal Data Retention and Destruction Policy has been drafted. Our Company reserves the right not to fulfill the requests of the data subjects in cases where it is entitled and/or incumbent to protect personal data in accordance with the provisions of the applicable legislation. When personal data are processed through non-automated means, provided that it is part of any filing system; the system requires physical destruction of personal data when the data is erased / destructed in a manner that it cannot be used afterwards. When our Company concludes an agreement with any natural or legal person to process personal data on its behalf, the personal data will be erased by such natural or legal persons in a secure manner, in order to prevent any subsequent recovery. Our Company may anonymize personal data when the reasons for the lawful processing of personal data cease to exist.
DESTRUCTION METHODS OF PERSONAL DATA
Erasure of Personal Data
Despite the processing of personal data in accordance with the provisions of the applicable legal provisions, if the reasons requiring the processing of data cease to exist, our Company may, by its own decision, or upon the requests of the data subjects, erase personal data. Erasure of personal data is the process of making personal data inaccessible to and non-reusable for the users concerned. Our Company takes all necessary technical and administrative measures to make the erased personal data inaccessible to and non-reusable for the users concerned.
Personal Data Erasure Process
The process to be followed in the erasure of personal data is as follows:
- Determining the personal data that will be subject to erasure;
- Identifying the relevant users for each personal data using an access authorization and control matrix or a similar system;
- Determining the authorizations and methods of the relevant users such as access, retrieval and reuse;
- Closing and canceling access, retrieval, reuse authorizations and methods of the relevant users regarding personal data.
Personal Data Erasure Methods
|Personal Data Stored in Servers||The personal data in servers the retention period for which has expired are erased by the system administrator after the revocation of the access authorizations of the users concerned.|
|Personal Data Stored in Electronic Media||The personal data stored in electronic mediums the retention period for which has expired will be made inaccessible to and unusable for other employees (users concerned) than the database manager.|
|Personal Data Stored Physically||The personal data which are physically stored, and the retention period for which has expired will be made inaccessible to and unusable for other employees apart from the unit manager in charge of the document archive. In addition, they will be obscured by crossing out/painting/erasing them in a manner to make them illegible.|
|Personal Data Stored in Portable Media||The personal data which are stored in flash disk-based storage media, and the retention period for which has expired will be maintained in secure environments through encryption by the system administrator and encryption keys the access authorization for which is provided only to the system administrator.|
Personal data should be deleted through the methods that are appropriate for the filing media as they can be stored in various filing media. Relevant examples are provided below:
Software as a Service Type Cloud Solutions (e.g. Office 365 Salesforce, Dropbox): The data on the cloud system should be deleted by giving a delete command. While carrying out the said action, it should be noted that the user concerned does not have the authority to recover the deleted data over the cloud system.
Personal Data Stored in Hard Copy: Personal data stored in hard copy should be erased using the obscuring method. Obscuring is performed by, where possible, cutting out the personal data on the relevant document, or where impossible, by making the personal data invisible to users using indelible ink to render it unreadable via technological solutions.
Office Files on the Central Server: The file should be deleted by the delete command in the operating system or the access rights of the user concerned should be deleted on the file or the directory where the file is located. While carrying out the said action, it should be noted that the user concerned is not also the system administrator.
Personal Data Stored in Portable Media: Personal data in Flash-based storage media must be stored in encrypted form and should be deleted by using software which is suitable for such media.
Databases: The relevant rows containing personal data must be deleted by database commands (DELETE etc.). While carrying out the said action, it should be noted that the user concerned is not also the database administrator.
Destruction of Personal Data
Despite the processing of personal data in accordance with the provisions of the applicable legislation, if the reasons requiring the processing of data cease to exist, our Company may, by its own decision, or upon the requests of the data subjects, destruct the personal data. Destruction of the personal data is a process, by which personal data are made inaccessible to, irretrievable by, or non-reusable for anyone. The data controller is obligated to take all necessary technical and administrative measures for the destruction of personal data.
|Personal Data Stored Physically||The personal data which are stored in hard copy, and the retention period for which has expired will be destructed irrecoverably by using shredder.|
|Personal Data Stored in Optic/Magnetic Media||The personal data which are stored in optic and magnetic media, and the retention period for which has expired will be destructed physically through melting, burning or pulverization. In addition, the data will be made unreadable by passing the magnetic media through a special device and exposing it to a high magnetic field.|
Physical Destruction: The personal data can be processed by non-automated means, provided that it is part of any filing system. The system requires physical destruction of the personal data while the data are erased / destructed in a way that it cannot be used afterwards.
Secure Erasure from the Software: When the data which are processed by wholly or partially automated means and which are stored in digital media are deleted/destroyed, methods are used to erase the data irretrievably from the software concerned.
Secure Erasure by a Specialist: In some cases, a specialist may be engaged to erase the personal data on our behalf. In such case, personal data are erased/destructed securely and irretrievably by the person who is a specialist in this field.
Obscuration: It is the process by which personal data are rendered physically unreadable.
Personal Data Destruction Methods
To destruct the personal data, all copies of the data must be identified and disposed of separately by using one or more of the following methods, depending on the type of systems where the data are stored:
Local Systems: One or more of the following methods can be used to destruct data on these systems: i) De-magnetization: It is a process, by which the magnetic medium is passed through a special device and exposed to a high magnetic field and the data on this device are destroyed in a manner rendering the data thereon unreadable. ii) Physical Destruction: It is a process, by which the optic media and magnetic media are destructed physically by melting, burning or pulverization. Data are rendered inaccessible by melting, burning or pulverizing, or shredding the optical media or magnetic media. If rewriting or de-magnetization is not successful on the hard disks, such media must also be destructed physically. iii) Overwriting: It is a process, by which the recovery of old data is prevented by writing random data consisting of 0 and 1 at least seven times on the magnetic media and rewritable optical media. This process is carried out by using special software.
Peripheral Systems: The destruction methods that can be used depending on the type of medium are as follows: i) Network devices (switches, routers, etc.): the storage media inside these devices are fixed. Products have a delete command, but no destruction property. They must be destroyed by using one or more of the suitable methods specified in (a). ii) Flash-based media: the flash-based hard disks, which have ATA (SATA, PATA, etc.) and SCSI (SCSI Express, etc.) interfaces must be destructed by using the destruction method recommended by the manufacturer, if they are supported, or by using the <block erase> command or by using one or more of the appropriate methods specified in (a), if they are not supported. iii) Magnetic tape: they are the media which store data by means of the micro-magnet parts on the flexible tape. They should be destroyed by exposure to very strong magnetic media and de-magnetization or by physical destruction methods such as pulverization or melting. iv) Units like magnetic disks: they are the media that stores data by means of the micro-magnet parts on flexible plates or fixed media. They should be destructed by exposure to very strong magnetic media and de-magnetization or by physical destruction methods such as pulverization or melting. v) Mobile phones (Sim cards and fixed memory areas): the fixed memory areas in the portable smartphones have a delete command, but no destruction command. They must be destroyed by using one or more of the suitable methods specified in (a). vi) Optic disks: Data storage media such as CDs or DVDs. They must be destructed by physical destruction methods such as pulverization, disintegration, melting. vii) Peripherals such as a printer, fingerprint door access system with removable data recording media: all filing media must be destructed by verifying that they are dismounted by using one or more of the suitable methods specified in (a). viii) Peripherals such as a printer, fingerprint door access system with fixed data medium: most of the said systems have a delete command, but no destruction command. They must be destroyed by using one or more of the suitable methods specified in (a).
Hard Copy and Microfiche Media: the main medium must be destructed because the personal data on such media are permanently and physically written on the media. When carrying out such action, it is necessary to divide the media into small pieces with paper shredders or trimmers, horizontally and vertically if possible, so that they are in a size which is not comprehensible and which cannot be reassembled. Personal data transferred from the original printed form to the electronic medium by scanning must be destructed by using one or more of the suitable methods specified in (a) according to the electronic medium in which they are stored.
Cloud Environment: During storage and use of personal data in these systems, they must be encrypted by the cryptographic methods, and where possible for personal data, particularly for each cloud solution service which is received, separate encryption keys must be used. At the end of the cloud communication service relationship, all copies of the encryption keys required to make personal data usable must be destructed. In addition to the aforementioned media, the destruction of personal data on devices that fail or are serviced is carried out as follows: i) the personal data contained in the related devices must be destructed by using one or more of the suitable methods specified in (a) before such devices are delivered to the third organizations such as the manufacturer, seller, authorized service center for maintenance and repair of the devices concerned; ii) where such destruction is not possible or not suitable, the data storage media must be removed and stored, and other defective components must be delivered to third parties such as manufacturers and sellers; iii) necessary measures should be adopted to prevent any external personnel from copying and taking the personal data out of the organization.
Anonymization of Personal Data
Anonymization of personal data means the rendering of personal data impossible to be associated with an identified or identifiable natural person, even through matching such with other data. Our Company may anonymize personal data when the causes for their lawful processing cease to exist. In order for personal data to be considered as anonymized, the personal data must be rendered impossible to be associated with an identified or identifiable natural person, even by using suitable techniques for the recording medium and relevant field of activity, such as the recovery of data by the data controller or recipient groups and/or matching the data with other data. Our Company takes any and all kinds of technical and administrative measures necessary for the anonymization of personal data.
Personal data which are anonymized pursuant to article 28 of the LPPD can be processed for research, planning and statistical purposes. Such processing is outside the scope of the LPPD and will not require the explicit consent of the personal data subject.
The Methods for the Anonymization of Personal Data
Anonymization of personal data is the rendering of personal data impossible to be associated with an identified or identifiable natural person, even through matching such with other data.
To anonymize personal data, the personal data must be rendered impossible to be associated with an identified or identifiable natural person, even by using suitable techniques for the recording medium and relevant field of activity, such as the recovery of data by the data controller or recipient groups and/or matching the data with other data.
Anonymization purports that all direct and/or indirect identifiers in a dataset are removed or replaced, whereby the data subject is precluded from being identified, or cannot distinguish such person in a group or crowd, in a manner in which they can no longer be associated with a natural person. Any data is deemed anonymized when it does not indicate any specific person as a result of the preclusion or loss of such properties. In other words, anonymized data constitute any information which identified a natural person prior to this process, yet cannot be associated with the data subject after such process and have been disassociated therewith. The objective of anonymizing personal data is to cut the link between the data and the person identified thereby. All such link-breaking operations carried out by automated or non-automated methods such as grouping, masking, derivation, generalization, randomization, etc. which are applied to the records in the filing system where personal data are stored are referred to as anonymization methods. The data which are obtained as a result of the application of these methods should be incapable of identifying any specific person.
Exemplary anonymization methods are described below:
Anonymization Methods which do not Create Value Irregularity: In methods which do not create value irregularities, no change or addition, subtraction is applied to the values of the data in the cluster; instead, changes are made to all rows or columns in the cluster. Thereby, while changes are encountered in every part of the data, the values in the fields retain their original state.
Removing the Variables
Removing the Variables is a method of anonymization which is achieved by means of deleting one or more of the variables from the table in its entirety. In such a case, the entire column in the table will be removed completely. This method can be used for reasons such as the variable being a highly descriptive variable, or the non-existence of a better solution, the variable being too sensitive to be disclosed to the public, or nor serving analytical purposes.
Removing the Records
In this method, anonymity is strengthened by removing a line containing singularity in the dataset, and the likelihood of generating assumptions about the dataset is reduced. In general, the records that are removed are those which do not have a common value with other records and which can easily be guessed by those who have an idea of the dataset. For example, in a dataset which includes survey results, solely one person from any sector is included in the survey. In such a case, it may be preferable to remove only the record pertaining to this person rather than removing the “sector” variable from all survey results.
In the regional masking method, the objective is to make the dataset more secure and to reduce the risk of predictability. If the combination of the values of a particular record creates a very uncommon condition, and there is a high probability to cause the person to become distinguishable in the relevant community, the value that creates the exception is changed to “unknown”.
Generalization is the process of converting the relevant personal data from a special value to a more general value. It is the most commonly used method for generating cumulative reports and performing operations based on total figures. The resulting new values demonstrate the total values or statistics of a group that make it impossible to reach a natural person. For instance, let’s assume that a person with the Turkish ID No of 12345678901 buys diapers from the e-commerce platform, and thereafter buys wet napkins as well. In the anonymization process, it can be deduced by using the generalization method that xx% of the people, who buy diapers from the e-commerce platform also buy wet napkins.
Lower and Upper Limit Coding
The upper and lower limit coding method is achieved by defining a category for a given variable and combining the values which fall within the grouping generated by such category. In general, the lower or higher values in a given variable are combined, and it is proceeded by making a a new definition for these values.
The global coding method is a grouping method which is used in datasets with values that cannot be applied to lower and upper limit codes, that do not contain numerical values or that cannot be numerically sorted. It is generally used when it is easier to cluster certain values and execute estimates and assumptions. A common and new group for the selected values is created, and all records in the dataset are replaced by this new definition.
In the sampling method, instead of the entire dataset, a subset from the cluster is described or shared. Thereby, the risk of generating accurate estimations of persons is reduced since it is not known whether a person known to be in the entire dataset is included in the disclosed or shared subset sample or not. Simple statistical methods are used to determine the subset to be sampled. For instance, it might be meaningful to carry out scans and make estimates in the relevant dataset of a woman who is known to live in Istanbul if a dataset of demographic information, occupations and health statuses of women living in Istanbul are anonymously disclosed or shared. Yet, only the records of the women, who are registered in the civil registration office in Istanbul, are left in the relevant dataset and the anonymization is applied and data are disclosed or shared by removing those registered in other cities from the dataset of those who are not living, a malicious person who accesses the data will not know the city of registration of a woman who is known to live in Istanbul, he will not be able to execute a reliable estimation whether the information pertaining to such person is included within the dataset possessed thereby or not.
Anonymization Methods which Create Value Irregularity: In the methods which create value irregularities, unlike the aforementioned methods, the values of the dataset are distorted by changing the existing values. In such case, since the values of the records are changed, it is necessary to correctly calculate the benefit planned to be attained from the dataset. Even if the values in the dataset are changed, it is still possible to benefit from the data by ensuring that the total statistics remain intact.
In this method, all records in the dataset are first arranged in a meaningful order and then the whole set is subdivided into a certain number of subsets. Thereafter, the average of the value of the specified variable of each subset is taken, the value of such variable in the subset is replaced with the average value. Hence, there will not be any change in the average value of that variable for the entire dataset.
The data exchange method concerns the change of records obtained by exchanging values of a variable subset between the pairs selected from the records. This method is mainly used for categorized variables, and the main idea is to transform the database by changing the values of the variables between the records pertaining to individuals.
In this method, additions and subtractions are made in order to achieve the determined distortions in a selected variable. This method is mostly applied to datasets which contain numeric values. Distortion is applied equally to each value.
Statistical Methods which Strengthen Anonymization
In consequence of the combination of some values in the records with individual scenarios in anonymized datasets, the identities of the persons in the records may be determined or assumptions regarding their personal data may be derived.
Therefore, anonymity can be strengthened by using various statistical methods in the anonymized datasets by minimizing the singularity of the records in the dataset. The main objective of these methods is to minimize the risk of anonymity distortion while keeping the benefit of the dataset at a certain level.
The trust in anonymization processes has been shaken by the identities of the persons in the records becoming identifiable or the information pertaining to a specific person becoming easily predictable in case of the indirect identifiers being combined with the correct combinations in the anonymized datasets. Accordingly, the datasets anonymized by the various statistical methods had to be made more reliable. K-anonymity has been developed to prevent the disclosure of information specific to persons who exhibit unique characteristics in certain combinations by allowing the identification of more than one person in specific fields in a dataset. If there are multiple records of combinations created by bringing together some of the variables in a dataset, it is less likely to identify the persons corresponding to that combination.
The L-diversity method, which has been developed through the studies conducted on the shortcomings of K-anonymity, takes into account the diversity of the sensitive variables corresponding to the same variable combinations.
Although the L-diversity method provides diversity in personal data, there are circumstances where it cannot provide adequate protection since the method does not deal with the content and sensitivity of personal data. As such, the process of calculating the degree of proximity of personal data and values among themselves and anonymizing the dataset by subdividing it according to these proximity degrees is referred to as the T-proximity method.
Choosing the Anonymization Method
Our Company decides which of the above methods will be applied by looking at the data in hand and considering the following properties of the dataset which is held:
Nature of the data;
Size of the data;
Structure of data in physical environments;
The benefit desired to be derived from the data / the purpose for processing of data;
Data processing frequency;
Reliability of the party to which the data will be transferred;
The efforts to be spared for anonymizing the data being meaningful;
The magnitude of the damage which may arise in case of deterioration of the anonymity of data, and its area of impact;
The distribution/centrality ratio of the data;
Control of authorization of users’ access to relevant data; and
The probability that the efforts to be spared to devise and carry out an attack which would disrupt anonymity being meaningful.
While anonymizing data, our Company checks – through contracts to be executed and risk analyses to be undertaken – whether such data is capable of re-identifying a person by using known or publicly available information from other institutions and organizations to which it transfers personal data.
When our Company decides to anonymize personal data instead of erasing or destructing it, it pays attention to not disrupting anonymity by combining the anonymized dataset with any other datasets, or creating a meaningful whole when one or more values can make a record unique, and ensures that the values in the dataset cannot be combined to produce an assumption or result, and we carry out controls on the datasets anonymized by our Company when the properties which are listed herein change and ensure that anonymity is remains intact.
Risks of De-anonymization by Reverse Processing of Anonymized Data
Since anonymization is a process applied to personal data destroying the distinctive and identifiable properties of the dataset, there is a risk that these operations can be reversed by various interventions and that anonymized data becomes re-identifiable and allow natural persons to be distinguished. This is referred to as de-anonymization. Anonymization processes can be accomplished only by manual or automated processes, or by hybrid processes consisting of a combination of the foregoing processes. However, it is important that after anonymized data is shared or disclosed, measures are taken to prevent anonymity from being compromised by new users who can access or own the data. The actions carried out intentionally about de-anonymization are called “de-anonymization attacks”. Within this scope, our Company investigates whether there is a risk that anonymized personal data may be reversed by various interventions, and that anonymized data may become re-identifiable and allow natural persons to be distinguished, and takes actions accordingly.
HOW DO WE PROTECT YOUR PERSONAL DATA?
In order to protect your personal data and prevent unlawful access thereto, our Company takes necessary administrative and technical measures in accordance with the Personal Data Security Guidelines published by the PDP Authority, prepares the procedures within the Company, drafts the privacy and explicit consent texts, conducts any necessary audits to ensure the implementation of the provisions of the LPPD in accordance with art. 12(3) of the LPPD, or commissions the conducting thereof through outsourcing. The results of such audits are evaluated within the scope of the internal operation of the Company and necessary actions are taken to improve the measures adopted.
Your personal data mentioned hereinabove will be transferred to physical archives and information systems of our Company and/or our suppliers and will be kept in both digitally and physically. The technical and administrative measures taken to ensure the security of personal data will be thoroughly explained below under two headings:
We use generally accepted standard technologies and operational security methods, including the standard technology called Secure Socket Layer (SSL), for the protection of the personal information which are collected. However, due to the nature of the Internet, information may be accessed by unauthorized persons over networks without the necessary security measures. We take technical and administrative measures to protect your data from risks such as destruction, loss, alteration, unauthorized disclosure or unauthorized access, depending on the current state of technology, the cost of technological applications, and the nature of the data to be protected. Within this scope, we execute data security agreements with the service providers with which we work with. Detailed information on such service providers are accessible from the related areas below:
|Google Ireland Limited||Business applications (e.g. e-mail, document and calendar)||Gordon House, Barrow Street, Dublin 4, Dublin, D04 E5W5Data centers located in various regions of the world (EU, Chile, Singapore, Taiwan, USA)||https://www.google.com/about/datacenters/inside/locations/index.html|
|Microsoft Limited||Azure cloud services||Microsoft Campus, Thames Valley Park, Reading, RG6 1WG, U.K.||https://azure.microsoft.com/de-de/support/trust-center/|
- Ensuring Cyber Security: We use cyber security products to ensure personal data security. However, the technical measures which we take are not limited thereto. The first line of defense against attacks from environments such as the internet is established through measures such as firewall and gateway. Nevertheless, nearly all software and hardware are subjected to certain installation and configuration operations. Taking into account that some of the commonly used software, and in particular, the older versions thereof, may have documented security vulnerabilities; unused software and services are removed from the devices. Therefore, the removal of unused software and services, rather than keeping them up-to-date should be primarily preferred due to its convenience. Patch management and software upgrades ensure to regularly check whether the software and hardware operate properly and whether the security measures adopted for the systems are sufficient or not.
- Access Restrictions: Access rights to systems containing personal data are restricted and reviewed regularly. Within this scope, employees are granted access rights to the extent as is necessary for their functions, duties, powers and responsibilities, and access to related systems is granted with a user name and password. When creating such passwords and passwords, combinations of uppercase and lowercase letters, numbers and symbols are ensured to be preferred instead of numbers or letter sequences which are associated with personal information and which can be easily guessed. An access authorization and control matrix are created accordingly.
- Encryption: In addition to using strong codes and passwords, access is restricted with methods such as limiting the number of log-in attempts to protect against common attacks like the use of brute force algorithm (BFA); ensuring the frequent change of codes and passwords; opening administrator account and admin privileges only for use when so required; and deleting accounts of and restricting access for employees whose employment contracts with the data controller are terminated, as soon as possible.
- Anti-Virus Software: In order to protect against malware, products such as antivirus or antispam which regularly scan the information system network and detect hazards are also used and are regularly kept current, and necessary files are regularly scanned. If personal data will be obtained from different websites and/or mobile application channels, it is ensured that connections are established via SSL or through more secure methods.
- Monitoring of Personal Data Security: Monitoring of personal data security includes the checking of which software and services are operating in information networks, the determination of whether there is any penetration into information networks or any other prohibited action or not, the maintenance of the transaction activities of all users regularly (such as log records), the reporting security issues as fast as possible. In addition, a formal reporting procedure is also created for employees to report security weaknesses in the systems and services and the threats which take advantage of such weaknesses. In cases of undesired events such as an information system crash, malicious software, decommissioning attack, missing or incorrect data entry, violations of privacy and integrity, abuse of the information system, evidences thereon are collected and stored securely.
- Ensuring the Security of the Mediums Containing Personal Data: If personal data are stored on the devices or in printed form which are located in the data controller’s premises, physical security measures are taken against threats such as theft or loss of such devices and papers. The physical environments containing personal data are protected against external risks (fire, flood etc.) by suitable methods, and the entries to / exits from such environments are controlled.
If personal data are on electronic mediums, access between network components can be restricted or separated to prevent personal data security breaches. For example, if a certain part of the network in use which is solely allocated for this purpose is limited and personal data are processed therein, the available resources may be reserved for the security of this limited area, not the entire network.
Measures at the same level are also taken for hard copies, electronic mediums and devices containing personal data pertaining to our Company located outside our Company’s premises. In fact, although personal data security breaches frequently occur due to theft and loss of devices containing personal data (laptop, mobile phone, flash disk etc.), personal data to be transmitted by e-mail or post is also sent carefully and by taking with adequate measures. Sufficient security measures are also adopted in case employees access the information system network with their personal electronic devices.
Access control authorization and/or encryption methods are used against situations such as loss or theft of devices containing personal data. Within this scope, the password key is stored in the environment which is only accessible to authorized persons, and unauthorized access is prevented thereby.
Hard copy documents containing personal data are also stored in a locked environment which is only accessible to authorized persons, and unauthorized access to such documents is prevented thereby.
If any personal data are acquired by others through unlawful means, our Company will inform the PDP Board and the data subjects thereof as soon as possible pursuant to art. 12 of the LPPD. If the PDPD Board deems it necessary, the PDP Board may announce this situation on its website or by any other means.
- Storage of Personal Data on Cloud: In the event that personal data are stored on cloud, it is necessary for our Company to assess whether the security measures taken by the cloud storage service provider are sufficient and appropriate. Within this scope, a two-step authentication check is applied for knowing in detail, backing up, synchronizing the personal data stored on cloud and if so required, providing remote access. During storage and use of personal data in these systems, they must be encrypted by the cryptographic methods and placed in cloud environments after encryption, and where possible for personal data, especially for each cloud solution service that is received, use of separate encryption keys are ensured. At the end of the cloud service relationship, all copies of the encryption keys, which may be used to make personal data usable, are destructed. Access to data storage areas with personal data is logged and improper access or access attempts are instantly communicated to those concerned.
- Procurement, Development and Maintenance of Information Technology Systems: Security requirements are taken into consideration whilst determining the requirements regarding the procurement, development or improvement of new systems by our Company.
- Back-up of Personal Data: If any personal data is damaged, destroyed, stolen or lost due to any reason whatsoever, our Company enables recovery by making use of the backed-up data within the shortest time possible. The backed-up personal data is accessible only by the system administrator, and data set back-ups are stored outside the network.
- All activities carried out by our Company have been analyzed in detail for all business units/departments, and as a result of such analysis, a process-based personal data processing inventory has been prepared. In the referred inventory, areas posing risks are identified and necessary legal and technical measures are continuously taken (e.g. the documents which are required prepared pursuant to the LPPD have been drafted by considering the risks set forth in this inventory).
- Personal data processing activities which are carried out by our Company are audited by information security systems, technical systems and legal methods. Policies and procedures on personal data security are established, and regular controls are conducted in this regard.
- Our Company may receive services from external service providers, from time to time, to satisfy its information technology needs. In such case, we take action by ensuring that these Data Processor external service providers meet at least the security measures adopted by our Company. Under these circumstances, a written agreement is signed with the Data Processor and the agreement includes at least the following matters:
- The Data Processor will act only in accordance with the instructions of the Data Controller, the purpose and scope of the data processing which are indicated in the agreement, the LPPD and other legislation;
- The Data Processor will act in accordance with the Personal Data Retention and Destruction Policy;
- The Data Processor is obliged to keep any data confidential for an indefinite period in relation to the personal data processed thereby;
- In case of any data breach, the Data Processor is obliged to forthwith inform the Data Controller thereof;
- Our Company will perform or have the necessary audits performed on the Data Processor’s systems containing personal data, and may examine the reports and service provider on site;
- The Data Processor will take the necessary technical and administrative measures for the security of personal data; and
- Additionally, as long as the nature of our relationship with the Data Processor so permit, the categories and types of the personal data transferred to the Data Processor are also indicated in a separate article.
- Employees who are specialized in technical issues are employed.
- Our Company has designated provisions on confidentiality and data security in the Employment Agreements to be signed during the recruitment process of its employees and demands that the employees comply with these provisions. The employees are regularly informed of and trained about the personal data protection law and the adoption of necessary measures in accordance with such law. The roles and responsibilities of the employees have been reviewed and their job descriptions have been revised therefor.
- Technical measures are taken in accordance with technological developments, and the measures which are taken are periodically checked, updated and renewed.
- The access authorizations are limited and regularly reviewed.
- The technical measures which are taken are regularly reported to the authorized officer, and the issues that pose risks are reviewed and efforts are spared to generate the necessary technological solutions.
- Software and hardware including virus protection systems and firewalls are installed.
- The backup programs are used in order to ensure the secure storage of personal data.
- Security systems are used for storage areas, technical measures taken are periodically reported to the person(s) concerned as a result of internal controls, risk issues are re-evaluated and necessary technological solutions are generated. The files/print-outs which are physically stored are stored through the supplier companies and subsequently destructed in accordance with the established procedures.
- The protection of personal data is also accepted by the senior management, a special Committee (the PDP Committee) has been established therefor and the PDP Committee has initiated its studies. A management policy regulating the operating rules of the Company’s PDP Committee has been put into effect within the Company, and the duties of the PDP Committee have been thoroughly explained therein.
A separate policy on the processing and protection of special categories of personal data has been drafted and put into effect.
Since the data revealing racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and appearance, memberships to association, foundation or union, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data pose the risk of causing aggrievedness to and discrimination against persons if unlawfully processed, they are regulated as special categories of personal data in art. 6 of the LPPD, and the processing of such data has been subjected to a more stringent protection regime.
Pursuant article 10 of the LPPD, our Company informs to the Data Subjects during the collection of special categories of personal data. Special categories personal data are processed by taking appropriate measures and carrying out the necessary audits or having such carried out in accordance with LPPD. In principle, one of the conditions for processing special categories of personal data is the attainment of the explicit consent of the data subject. Our Company offers data subjects the opportunity to give a free and informed explicit consent on a specific issue.
In principle, our Company seeks the explicit consent of the Data Subjects in writing for the processing of special categories of personal data. However, pursuant to art. 6(3) of the LPPD and in case of the existence of any of the conditions specified in article 5(2) of the LPPD, the explicit consent of the Data Subjects is not sought. In addition, it is stipulated in art. 6(3) of the LPPD that personal data revealing health and sexual life can be processed by persons who are under a legal obligation of secrecy or by competent institutions and organizations without explicit consent of the data subject for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment or provision of care, planning and management of health services and their financing. The general data processing principles are followed and adhered to in the processing processes at all times, irrespective of the grounds therefor.
Our Company takes special measures to ensure the security of special categories of personal data. Pursuant to the data minimization principle, special categories of personal data are not collected unless necessary for the business process concerned, and are processed only when so required. In case of the processing of special categories personal data, the technical and administrative measures which are deemed as necessary are taken for fulfillment of the statutory obligations and for compliance with the measures which are designated by the PDP Board.
WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?
Pursuant to art. 11 of the LPPD, you possess the following rights regarding your personal data, as a data subject:
- Being informed of whether your personal data are processed by our Company or not;
- Requesting information thereon if your personal data have been processed;
- Being informed of the purpose for the processing of your personal data and whether such data were used in conformity with such purpose or not;
- Knowing the third parties in Turkey or abroad to whom/which your personal data are transferred;
- Requesting the rectification of your incomplete or inaccurate personal data which were processed, and the notification of the operations carried out within this scope, to the third parties to whom/which personal data were transferred;
- Requesting the deletion or destruction of your personal data despite the processing in accordance with the LPPD and other applicable legal provisions, once the reasons necessitating the processing cease to exist, and the notification, of the operation carried out within this scope, to third parties to whom/which your personal data were transferred;
- Objecting to any outcomes to your detriment by means of the analysis of the processed data exclusively through automated means;
- Claiming the compensation of your damages, in case you incurs any damages due to the unlawful processing of your personal data.
Yoy may communicate such requests to our Company, free of charge, as per the Application Communiqué, by using the following methods:
- Filling in the form available from www.pulver.com/gizlilik_politikası and delivering such personally to the following address as originally signed: Gebze Osb Mahallesi 3200. Cadde No:3201/1 Gebze Kocaeli (please note that you would have to present an ID);
- Filling in the form available from www.pulver.com/gizlilik_politikası and delivering such through the notary public to the following address as originally signed: Gebze Osb Mahallesi 3200. Cadde No:3201/1 Gebze Kocaeli;
- Filling in the application form available from www.pulver.com/gizlilik_politikası and signing it with your “secure electronic signature” as per the Electronic Signature Law No. 5070 and sending the form bearing the secure electronic signature to [email protected] through registered electronic mail; and
- Delivering a written request by using your e-mail address which was previously notified to our Company and which is registered at our Company’s system.
The following should be included in the application:
Name, surname and if the application is in writing, signature; Turkish ID Number for Turkish citizens; for foreigners, nationality, passport number or if any, ID number, residence or business address for notification/service; if any, electronic mail address for notification, phone or facsimile number, subject of request. Relevant information and documents will also be attached to the application.
Third parties cannot make requests on behalf of personal data subjects. In order for a person other than the personal data subject to be able to make a request, there should be an originally signed and notarized copy of the special power of attorney which is issued on the relevant matter in the name of the person who will file the application. The application will contain your explanations about the right which you possess as a personal data subject and which you request to exercise your rights mentioned above, and your request should be clear and comprehensible, and should either concern you personally or if you are acting on behalf of another person, you should be specially authorized in this regard, and should document your power. The application should further contain identification and address details, and the documents substantiating your identity must be attached thereto.
Applications to be filed by your party in this regard will be concluded within the short time possible and at most within 30 days. These applications are free of charge. However, in case the operation requires an additional cost, the fee in the tariff designated by the PDP Board may be charged.
If the personal data subjects submit their requests to our Company in accordance with the stipulated procedure, our Company will conclude the request free of charge within the shortest time and at most within thirty days depending on the nature of the request. However, in case the operation requires an additional cost, our Company may charge the applicants with the fee in the tariff which is designated by the PDP Board. Our Company may demand the data subject to provide any information in order to determine whether the applicant is indeed a personal data subject or not. Our Company may direct questions to the personal data subjects regarding their applications, in order to clarify the issues set forth in their applications.
If our Company declines your application, you consider the response to be unsatisfactory or we fail to respond within due time; pursuant to art. 14 of the LPPD, you can file a complaint with the PDP Board within thirty days as of the date on which you learn about the response of our Company, and in any case, within sixty days as of the date of application.
WHAT ARE THE CONDITIONS UNDER WHICH THE DATA SUBJECTS CANNOT ASSERT THEIR RIGHTS?
Given that the following cases are excluded from the scope of the LPPD pursuant to article 28 of the LPPD, the personal data subjects cannot assert the rights mentioned above where:
- personal data are processed for the purpose of official statistics and for research, planning and statistical purposes after having been anonymized;
- personal data are processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defense, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute a crime;
- personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned to maintain national defense, national security, public security, public order or economic security; and
- personal data are processed by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings or execution proceedings.
Pursuant to article 28(2) of the LPPD, personal data subjects cannot assert any rights, other than the right to claim damages, in the following cases where personal data processing is:
- required for the prevention of a crime or crime investigation;
- carried out on the data which are made public by the personal data subject himself/herself;
- required for inspection or regulatory duties and disciplinary investigation and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of public institution, assigned and authorized for such actions, in accordance with the power conferred on them by the law; and
- required for protection of State’s economic and financial interests with regard to budgetary, tax-related and financial issues.
As thoroughly explained hereinabove, your personal data can be stored, classified according to market research, financial and operational processes and marketing activities, updated at different periods, and to the extent permitted by the legislation, pursuant to the laws and confidentiality principles, and transferred to any 3rd Parties and/or suppliers and/or services providers and/or foreign shareholders, with which we are affiliated, as the service so requires; and information may be transferred, stored, reported and processed in electronic or printed form in accordance with the policies which are binding upon our party and for other reasons which are stipulated by other authorities, and may be issued electronically or in hard copy, as records and documents forming the basis for the operation.
In case of any inconsistency between the provisions of the LPPD and other applicable legislation and this Policy, the provisions of the LPPD and other applicable legislation will prevail.
This Policy which has been drafted by our Company entered into force, in accordance with the resolution of the Board of Directors of Pulver.
Please kindly note that this Policy may be updated, due to the changes in the legal provisions from time to time as well as changes in our company policies. The most current version of the Policy will be available from our website.
Prior to entering our website, the User(s) irrevocably accept(s), declare(s) and undertake(s) that (s)he/they have read this Policy on the Protection of Personal Data; that (s)he/they will abide by all matters which are indicated herein; and that the contents of the website and all electronic mediums and computer records will constitute conclusive evidence as per art. 193 of the Code of Civil Procedure.
ANNEX – ABBREVIATIONS
|Law No. 5651||The Law on the Regulation of Publications on the Internet and Combatting Crimes Committed by Means of Such Publications, which entered into force upon its promulgation in the Official Gazette dated May 23, 2007 and numbered 26530|
|Constitution||The Constitution of the Republic of Turkey dated November 7, 1982 and numbered 2709, which was promulgated in the Official Gazette dated November 9, 1982 and numbered 17863|
|Application Communiqué||The Communiqué on the Procedures and Principles for Application to Data Controllers, which entered into force upon its promulgation in the Official Gazette dated March 10, 2018 and numbered 30356|
|Data Subject(s)||A natural person, whose personal data are processed, such as any customers of Pulver or any related group company of Pulver, corporate customers with which a business relationship is maintained, business partners, shareholders, officers, candidate/prospective employees, interns, visitors, suppliers, and employees of the organizations with which it cooperates, third parties and other persons which are not limited to those enumerated above.|
|Regulation on the Deletion, Destruction and Anonymization of Personal Data||The Regulation on the Deletion, Destruction and Anonymization of Personal Data which was promulgated in the Official Gazette dated October 28, 2017 and numbered 30224 and which entered into force on January 1, 2018|
|LPPD||The Law on the Protection of Personal Data which entered into force upon the promulgation in the Official Gazette dated April 7, 2016 and numbered 29677|
|PDP Board||The Personal Data Protection Board|
|PDP Authority||The Personal Data Protection Authority|
|Policy||This Policy on the Protection of Personal Data and Privacy of Pulver|
|Company/ Pulver||Pulver Kimya Sanayi ve Ticaret A.Ş.|
|Turkish Penal Code||Turkish Penal Code dated September 26, 2004 and numbered 5237 which was promulgated in the Official Gazette dated October 12, 2004 and numbered 25611|