PROTECTION OF PERSONAL DATA
Personal Data Protection and Processing Policy
Version 1.1
| First Publication Date |
Last Updated Date
Page No
10.02.2021 1/18
ALTOHOLDİNG A.Ş. PERSONAL DATA PROTECTION, PROCESSING AND PRIVACY POLICY
1 | Altoholding A.S. Personal Data Protection, Processing and Privacy Policy
Table of Contents
1. PURPOSE AND SCOPE .........................................................................................................................3
2. POLICY GUIDELINES .....................................................................................................................4
2.1. GENERAL PRINCIPLES..........................................................................................................................4
2.2. GROUPS OF PERSONS COVERED BY THE POLICY .......................................................................4
3. GROUPS OF PERSONS COVERED BY THE POLICY.........................................................................4
3.1. COMPLIANCE WITH DATA PROCESSING CONDITIONS .............................................................................4
3.1.1. COMPLIANCE WITH FUNDAMENTAL PRINCIPLES ............................................................................................5
3.1.2. COMPLIANCE WITH PERSONAL DATA PROCESSING CONDITIONS.........................................................5
3.1.3. COMPLIANCE WITH SPECIAL PERSONAL DATA PROCESSING CONDITIONS................................6
3.1.4. COMPLIANCE WITH PERSONAL DATA TRANSFER CONDITIONS .....................................................7
4. DISCLOSURE OF PERSONAL DATA SUBJECTS ................................................................7
5. FINALIZATION OF REQUESTS OF PERSONAL DATA SUBJECTS........................................................8
5.1. RIGHTS OF PERSONAL DATA SUBJECTS..............................................................................8
5.2. CASES EXCLUDED FROM THE RIGHTS OF PERSONAL DATA OWNERS AS PER THE LEGISLATION .................................................................................................................................................9
6. ROLES AND RESPONSIBILITIES...............................................................................................10
6.1. COMPANY PERSONAL DATA PROTECTION (KVK) EXECUTIVE COMMITTEE.............................10
6.2. COMPANY KVK COMMITTEE ...........................................................................................................10
7. ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA............................................11
8. PURPOSES OF PROCESSING PERSONAL DATA AND PERSONAL DATA GROUPS SUBJECT TO DATA PROCESSING ACTIVITIES ...................................................................................................12
8.1. PERSONAL DATA CATEGORIES............................................................................................. 12 8.2. PURPOSES OF PROCESSING PERSONAL DATA................................................................. 14 8.3. PAYLAŞILAN TARAF KATEGORİLERİ ................................................................................15 9. SHARED PARTY CATEGORIES.................................................................. 16 10. WEBSITE USAGE ...............................................................................................16 11. REVIEW ....................................................................................................................17 12. DEFINITIONS....................................................................................................................................17
2
1. Purpose and Scope
Altoholding A.Ş. (hereinafter referred to as "Altoholding" or "the Company") makes every effort to comply with all applicable legislation regarding the processing and protection of personal data.
Altoholding A.Ş. Within the framework of the Personal Data Protection and Processing Policy ("Policy"), the principles adopted by the Company in the conduct of personal data processing activities are explained.
The Policy aims to ensure the sustainability of the Company's "principle of conducting company activities in accordance with the law and honesty rules and in transparency". In this context, the basic principles adopted in terms of compliance of the Company's data processing activities with the regulations in the Personal Data Protection Law No. 6698 ("KVKK") are determined and the practices fulfilled by Altoholding Company are explained.
The Policy is intended for natural persons whose personal data are processed by Altoholding Company by automatic or non-automatic means, provided that they are part of any data recording system.
3
2. Policy Guidelines
2.1. General Principles
The Policy is available on the website of Altoholding Company, which is open to the access of personal data owners ( http://www.altoholding.com/ ) is published. In parallel with the amendments and innovations to be made in the legislation, the amendments to be made in the Policy will be made available in a manner that data subjects can easily access.
In the event of a conflict between the legislation in force regarding the protection and processing of personal data and this Policy, Altoholding Company accepts that the legislation in force shall apply.
2.2. Groups of Persons Covered by the Policy
The groups of Data Subjects covered by the Policy and whose personal data are processed by Alto Holding Company are as follows:
Employee Candidates
No service contract has been established with Altoholding Company, but for the purpose of establishment, Altoholding
They are people who have applied to the firm.
Officials, Employees of Business Partners
Real person officials, shareholders, employees of the organizations with which Alto Holding Company has commercial relations.
Firma Ziyaretçileri
The buildings in which the Altoholding Company operates or the buildings used by the Altoholding Company
Employees Real persons who have a service contract with Alto Holding Company. 3. Principles Regarding the Processing and Protection of Personal Data
3.1. Compliance with Data Processing Terms
While carrying out personal data processing activities, the Company acts in accordance with (i) the basic principles set out in Article 4, (ii) the personal data processing conditions set out in Article 5 and (iii) the special categories of personal data processing conditions set out in Article 6 of the KVKK.
3.1.1. Compliance with Fundamental Principles
(1) Processing personal data in accordance with the law and good faith
The Company carries out its personal data processing activities in accordance with the law and the rule of honesty in accordance with the Constitution of the Republic of Turkey, in particular, the KVKK and the relevant secondary legislation.
4
(2) Ensuring the accuracy and timeliness of processed personal data
While carrying out the processing of personal data by the Company, all necessary administrative and technical measures are taken to ensure the accuracy and timeliness of personal data within the technical possibilities. In this context, the Company has established mechanisms to correct and verify the accuracy of personal data of personal data owners in case their personal data is outdated or inaccurate.
(3) Processing personal data in a purpose-related, limited and measured manner
Personal data are processed by the Company in connection with the data processing conditions and for as long as necessary to fulfill the purpose of processing these services. In this context, the purpose of personal data processing is determined before the personal data processing activity is started, and data processing activity is not carried out with the assumption that it can be used in the future.
(4) Retain personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed
The Company retains personal data limited to the period stipulated in the relevant legislation or required by the purpose of data processing. In this direction, personal data are deleted, destroyed or anonymized by the Company in the event that the period stipulated in the legislation expires or the reasons requiring the processing of personal data disappear. Personal data are not stored by the Company based on the possibility of future use.
3.1.2. Compliance with Personal Data Processing Conditions
The Company carries out its personal data processing activities in accordance with the data processing conditions set forth in Article 5 of the KVKK. In this context, personal data processing activities are carried out in the presence of the personal data processing conditions listed below:
(1) Explicit Consent of the Relevant Person
Personal data processing activity is carried out by the Company in the event that the Data Subject gives consent to the processing of data about him/her, having sufficient information on a particular subject, freely and in a clear manner that leaves no room for hesitation.
(2) The Personal Data Processing Activity is Explicitly Stipulated in the Laws
In the event that there is a clear regulation in the laws regarding personal data processing, the Company may carry out personal data processing activities limited to the relevant legal regulation.
(3) Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility and Obligation to Process Personal Data
In cases where the Data Subject is unable to disclose his/her consent or his/her consent is not recognized as valid, if the processing of personal data is mandatory for the protection of the life or bodily integrity of persons, data processing activities are carried out by the Company within this scope.
(4) The Personal Data Processing Activity is Directly Related to the Establishment or Performance of a Contract
5
In cases directly related to the establishment or performance of a contract, if it is necessary to process personal data belonging to the parties to the contract, data processing activity is carried out by the Company.
(5) Execution of Personal Data Processing Activity is Mandatory for Altoholding Company to Fulfill its Legal Obligation
In the event that the Company, which has adopted it as a Company policy to show the necessary sensitivity in compliance with the law, has a legal obligation, personal data processing activity is carried out to fulfill the legal obligation.
(6) Publicization of Personal Data by the Data Subject
Personal data made public (disclosed to the public in any way) by the person concerned are processed by the Company in accordance with the purpose of publicization.
(7) Data Processing is Mandatory for the Establishment, Exercise or Protection of a Right
In the event that the processing of personal data is mandatory for the establishment, exercise or protection of a right, personal data processing is carried out by the Company in parallel with this obligation.
(8) Provided that it does not harm the fundamental rights and freedoms of the Data Subject
In case personal data processing is mandatory for the legitimate interests of the Company, data processing activity may be carried out if the fundamental rights and freedoms of the Data Subject will not be harmed. Within this framework, the existence of a balance between the legitimate interests of Alto Holding Company as the "data controller" and the fundamental rights and freedoms of the Data Subject will be sought.
3.1.3. Compliance with Special Categories of Personal Data Processing Conditions
The Company pays special attention to the processing of sensitive personal data. In this context, in the processing of special categories of personal data by the Company, first of all, it is determined whether the data processing conditions exist with sensitivity, and data processing activities are carried out after ensuring the existence of the legal compliance condition.
Sensitive personal data may be processed by the Company in the following cases, provided that adequate measures determined by the Board are taken:
(1) Processing of Personal Health Data
Personal health data may be processed by the Company in the presence of one of the conditions listed below, provided that (i) taking adequate measures to be stipulated by the Ministry of Health, (ii) acting in accordance with general principles and (iii) being under the obligation of confidentiality:
- Existence of the explicit written consent of the Data Subject,
- Protection of public health,
- Preventive medicine,
- Conducting medical diagnosis, treatment and care services,
6
- Planning and management of health services and financing.
(2) Processing of Sensitive Personal Data other than Health and Sexual Life
Special categories of personal data other than health and sexual life may be processed by the Company upon the explicit consent of the Data Subject or in cases stipulated by law.
3.1.4. Compliance with Personal Data Transfer Conditions
In the personal data transfers to be carried out by the Company, the personal data transfer conditions regulated in Articles 8 and 9 of the KVKK are complied with.
(1) Domestic Transfer of Personal Data
In accordance with Article 8 of the LPPD, the Company acts in accordance with the data processing conditions (See Policy 3.1.) in data transfer activities to be carried out domestically.
(2) Transfer of Personal Data Abroad Pursuant to Article 9 of the KVKK, personal data may be transferred abroad by the Company; (i) in accordance with the personal data processing conditions (See Policy 3.1.) and (ii) if the country of transfer is one of the countries with adequate protection declared by the Board or if there is no adequate protection in the relevant foreign country, the data controllers in Turkey and the relevant foreign country undertake an adequate protection in writing and with the permission of the Board.
(3) Groups of Persons to whom Personal Data is Transferred by the Company
In accordance with Articles 8 and 9 of the KVKK, the Company may transfer the personal data of the data owners within the scope of the Policy (See Policy 2.2.) to the groups of persons listed below for the specified purposes:
-
(i) To third party service providers who process personal data on behalf of the Company, limited to the fulfillment of the Company's commercial activities,
-
(ii) Limited to the Company's business partners for the purpose of ensuring the establishment and maintenance of the business partnership,
-
(iii) To the Company's suppliers, limited to the purpose of performing the business activities of Altoholding Company,
-
(iv) To authorized public institutions and organizations and authorized private law persons, limited to the purpose requested within the legal authority of the persons concerned,
-
(v) To third parties, in accordance with the terms of personal data transfer.
4. Disclosure of Personal Data Subjects
In accordance with Article 10 of the LPPD, the Company carries out the necessary processes to ensure that data subjects are informed during the acquisition of personal data. In this context, the disclosure texts provided by the Company to data subjects mainly contain the information listed below:
7
(1) Title of the Company,
(2) The purpose for which the personal data of data subjects will be processed by the Company,
(3) To whom and for what purpose the processed personal data may be transferred,
(4) The method and legal reason for collecting personal data,
(5) The Relevant Person has the rights listed below;
- Learn whether their personal data is being processed,
- Request information if their personal data has been processed,
- To learn the purpose of processing personal data and whether they are used for their intended purpose,
- To know the third parties to whom personal data are transferred domestically or abroad,
- To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction to third parties to whom personal data is transferred,
- Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, in the event that the reasons requiring its processing disappear, to request the deletion or destruction of personal data and to request notification of the transaction to third parties to whom personal data is transferred,
- To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
- In case of damage due to unlawful processing of personal data, to demand compensation for the damage.
5. Finalization of Personal Data Subjects' Requests
If the data subjects submit their requests regarding their personal data to the Company in writing, the Company, as the data controller, carries out the necessary processes to ensure that the request is finalized as soon as possible and within thirty (30) days at the latest, depending on the nature of the request, in accordance with Article 13 of the KVKK.
Within the scope of ensuring data security, the Company may request information to determine whether the applicant is the owner of the personal data subject to the application. The Company may also ask questions to the Data Subject regarding the application in order to ensure that the application of the Data Subject is finalized in accordance with the request.
In cases where the application of the Relevant Person is likely to prevent the rights and freedoms of other persons, requires disproportionate effort, the information is public information, the request may be rejected by the Company by explaining the reason.
c
Pursuant to Article 11 of the LPPD, you may apply to the Company and make a request on the following issues:
(1) To learn whether your personal data is being processed,
8
(2) Requesting information if your personal data has been processed,
(3) To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
(4) Learning the third parties to whom your personal data are transferred domestically or abroad,
(5) To request correction of your personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,
(6) Although it has been processed in accordance with the provisions of KVKK and other relevant laws, to request the deletion and destruction of your personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,
(7) To object to the occurrence of a result against you by analyzing your processed data exclusively through automated systems,
(8) In case you suffer damage due to unlawful processing of your personal data, to demand the compensation of the damage.
5.2. Cases Excluded from the Rights of Personal Data Owners Pursuant to the Legislation
Pursuant to Article 28 of the KVKK, it will not be possible for personal data owners to assert their rights on the following issues, since the following situations are not covered by the KVKK:
(1) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
(2) Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
(3) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
(4) Processing of personal data by judicial or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
Pursuant to Article 28/2 of the KVKK; In the cases listed below, it will not be possible for personal data owners to assert their rights, except for requesting compensation for the damage:
(1) Processing of personal data is necessary for the prevention of crime or criminal investigation.
(2) Processing of personal data made public by the Data Subject.
9
(3) Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by the law.
(4) the processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.
6. Roles and Responsibilities
6.1. Company Personal Data Protection (KVK) Executive Committee
Altoholding Company Personal Data Protection and Processing Policy is responsible for the implementation of Altoholding Company Personal Data Protection and Processing Policy in all Company-wide activities and processes. In order to fulfill this responsibility, the Company's PDP Executive Committee has established the Altoholding Company Personal Data Protection Committee, which will ensure the necessary coordination within the Company within the scope of ensuring, preserving and maintaining compliance with the personal data protection legislation within the Company. Altoholding Personal Data Protection Committee, which convenes under the chairmanship of the Risk Management Coordinator and consists of representatives from the Financial Affairs Department, Legal Affairs Department, Audit Department, Human Resources Department, Corporate Relations and Communication Coordinator and Information Technologies Coordinator, will prepare the necessary regulations and guidelines within the scope of compliance with the KVKK throughout Altoholding Company. All employees and units of Altoholding Company are obliged to ensure the implementation of this Policy and compliance with the Policy.
6.2. Company PDP Committee
The "Company PDP Committee" has been established by the Company to ensure the necessary coordination within the Company within the scope of ensuring, maintaining and maintaining compliance with the personal data protection legislation. The Company PDP Committee is responsible for ensuring unity among the Company units and for the execution and improvement of the systems established to ensure that the activities carried out comply with the personal data protection legislation.
In this context, the main duties of the Company's PDP Committee are as follows:
- To prepare and put into effect basic policies regarding the protection and processing of personal data within the company,
- To decide how the implementation and supervision of the policies regarding the protection and processing of personal data within the Company will be carried out, and to make internal assignments and ensure coordination within this framework,
- To determine the matters to be done to ensure compliance with the KVKK and related legislation; to oversee and coordinate its implementation,
- Raising awareness within the Company and the organizations with which it cooperates on the protection and processing of personal data,
- To ensure that necessary measures are taken by identifying the risks that may arise in the Company's personal data processing activities; to submit suggestions for improvement,10
- Designing and conducting trainings on the protection of personal data and implementation of policies,
- To decide on the applications of personal data subjects,
- To coordinate the execution of information and training activities to ensure that personal data owners are informed about the Company's personal data processing activities and their legal rights,
- To prepare and put into effect amendments to the basic policies on the protection and processing of personal data,
- To follow the developments and regulations on the protection of personal data; to advise senior management on what needs to be done in Company operations in accordance with these developments and regulations,
- Managing relations with the Institution and the Board,
- To perform other duties to be assigned by the Company's PDP Executive Committee on the protection of personal data.
- Regular reporting to the Company's PDP Executive Committee on compliance with the PDP Law.
7. Ensuring the Security and Confidentiality of Personal Data
In order to prevent unlawful disclosure, transfer, unlawful access to personal data or other security deficiencies that may occur in other ways, the Company takes all necessary measures within the possibilities, depending on the nature of the data to be protected.
In this context, all necessary (i) administrative and (ii) technical measures are taken by the Company, (iii) an audit system is established within the company, and (iv) in case of unlawful disclosure of personal data, the Company acts in accordance with the measures stipulated in the KVKK.
(1) Administrative Measures Taken by Altoholding Company to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
- The Company trains and raises awareness of its employees regarding the law on the protection of personal data.
- In cases where personal data is subject to transfer, the Company shall ensure that the contracts concluded by the Company with the persons to whom personal data is transferred include records stating that the party to whom personal data is transferred will fulfill the obligations to ensure data security.
- Personal data processing activities carried out by the Company are examined in detail and periodically reviewed and updated when necessary. In this context, the steps to be taken to ensure compliance with the personal data processing conditions stipulated in the KVKK are determined.
11
- The Company determines the practices that must be fulfilled in order to ensure compliance with the LPPD, regulates these practices with internal policies and periodically reviews and updates them when necessary.
(2) Technical Measures Taken by Altoholding Company to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
- Reasonable technical measures are taken by the Company regarding the protection of personal data to the extent possible by technology and the measures taken are updated and improved in parallel with the developments.
- In technical matters, expert personnel are employed or support is obtained from expert consultants when necessary.
- Regular audits are conducted for the implementation of the measures taken. - Software and systems to ensure security are installed.
- Authorization to access personal data processed within the Company is limited to the relevant employees in line with the determined processing purpose.
(3) Conducting Audit Activities on the Protection of Personal Data by the Company
The operation of the technical and administrative measures taken by the Company within the scope of protecting and ensuring the security of personal data is audited and practices are carried out to ensure the continuity of the functioning. The results of the audit activities carried out within this scope are reported to the Company's PDP Committee and the relevant department within the Company. In line with the audit results, activities are carried out to ensure the development and improvement of the measures taken regarding data protection
(4) Measures to be Taken in Case of Unlawful Disclosure of Personal Data
Within the scope of the personal data processing activity carried out by the Company, in cases where it is determined that personal data has been unlawfully obtained by unauthorized persons, the situation will be notified to the Board and the relevant data subjects without delay.
8. Purposes of Processing Personal Data and Personal Data Groups Subject to Data Processing
8.1. Categories of Personal Data
Personal data in the following groups are processed by the Company partially or completely automatically or non-automatically as part of the data recording system.
12
| PERSONAL DATA CATEGORIES | EXPLANATIONEXPLANATION |
| Identity Information | Personal data containing information about the identity of the person; documents such as driver's license, identity card and passport containing information such as name-surname, Turkish ID number, nationality, mother's name-father's name, place of birth, date of birth, gender, and information such as tax number, SSI number, signature information, vehicle license plate, etc. |
| Contact Information | Contact information; personal data such as telephone number, address, e-mail address, fax number. |
| Physical Space Security Information | Personal data relating to records and documents taken at the entrance to the physical space, during the stay in the physical space; camera records, fingerprint records and records taken at the security point, etc. |
| Transaction Security Information | Personal data processed to ensure the technical, administrative, legal and commercial security of both the Data Subject and the Company while conducting the Company's commercial activities. |
| Risk Management Knowledge | Personal data processed through methods used in accordance with generally accepted legal, commercial customs and good faith in these areas for the management of commercial, technical and administrative risks. |
| Legal Procedure and Compliance Knowledge | Personal data processed regarding information, documents and records showing all kinds of financial results created within the scope of the legal relationship between the Company and the Data Subject, and personal data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information. |
| Legal Procedure and Compliance Knowledge | Personal data processed within the scope of the determination and follow-up of the Company's legal receivables and rights and the performance of its debts and compliance with its legal obligations and Company policies. |
| Audit and Inspection Knowledge | Personal data processed within the scope of the Company's legal obligations and compliance with Company policies. |
13
| Sensitive Personal Data | Data specified in Article 6 of the LPPD (e.g. health data, including blood type, biometric data, religion and membership of associations) |
| Request/Complaint Management Information | Personal data relating to the receipt and evaluation of any request or complaint addressed to the Company. |
| Reputation Management Knowledge | Personal data associated with the person and collected for the purpose of protecting the Company's commercial reputation (e.g. posts made about the Company) |
8.2. Purposes of Processing Personal Data
Personal data are processed by the Company for the purposes listed below in accordance with the data processing conditions and principles. The existence of the purposes listed below may vary for each Data Subject.
The personal data obtained are processed by the Company within the scope of the personal data processing conditions specified in Articles 5 and 6 of the KVKK and for the purposes listed below:
- Planning and/or Execution of Internal Training Activities,
- Planning and Execution of Emergency Management Processes,
- Planning and Execution of Corporate Sustainability Activities,
- Planning Human Resources Processes,
- Follow-up of Legal Affairs,
- Planning and Execution of Business Activities,
- Establishment and Management of Information Technologies Infrastructure,
– Bilgi Güvenliği Süreçlerinin Planlanması,
- Planning Information Security Processes,
- Planning and Execution of Internal Orientation Activities,
- Planning and/or Execution of Activities for Conducting Effectiveness/Efficiency and/or Relevance Analyses of Business Activities,
- Ensuring that Data is Accurate and Up-to-Date,- Recruitment / Employment,
- Ensuring the Security of Company Campuses and/or Facilities,
14
-
- Creating and Tracking Visitor Records,
-
- Follow-up of Contract Processes and/or Legal Claims,
-
- Planning and/or Execution of Business Continuity Ensuring Activities,
-
- Planning and Execution of Company Audit Activities,
-
- Planning and Execution of Operational Activities Required to Ensure that Company Activities are Conducted in Compliance with Company Procedures and/or Relevant Legislation,
- Realization of Company and Partnership Law Transactions,
- Ensuring the Security of Company Operations,
- Management and/or Supervision of Relations with Affiliates,
- Execution of Personnel Recruitment Processes,
-
- Corporate Governance Planning and Execution of Activities,
- Execution of Strategic Planning Activities,
- Planning and Execution of External Training Activities.
-
8.3. Shared Party Categories
Altoholding Company may transfer the personal data of the data owners within the scope of the Policy (See Section 2.2.) to the groups of persons listed below for the specified purposes in accordance with the principles set out in the KVKK and, in particular, Articles 8 and 9 of the KVKK:
- Company suppliers,
- Company partners,
- Third parties who process personal data on behalf of the Company,
- Authorized public institutions and organizations and authorized private law persons,
- To other third parties in accordance with the terms of data transfer.
The scope of the above-mentioned persons to whom data is transferred and the possible data transfer purposes are stated below.
| PERSONS TO WHOM DATA CAN BE TRANSFERRED | DESCRIPTION | DATA TRANSFER PURPOSE |
15
| Business Partner | Parties with whom the Company has established business partnerships for purposes such as conducting its commercial activities | Limited to ensure the fulfillment of the purposes for which the joint venture was established |
| Supplier | Parties that provide services to the Company in accordance with the Company's orders and instructions and on a contractual basis within the scope of carrying out the Company's commercial activities | Limited to the purpose of providing the Company with the services outsourced by the Company from the supplier and necessary to fulfill the Company's commercial activities |
| Subsidiaries | Companies in which the Company is a shareholder | Limited to ensuring the execution of the Company's commercial activities that require the participation of the Company's subsidiaries |
| Legally Authorized Public Institutions and Organizations | Public institutions and organizations authorized to receive information and documents from the Company in accordance with the provisions of the relevant legislation | Limited to the purpose requested by the relevant public institutions and organizations within the legal authority |
| Legally Authorized Private Law Persons | Private law persons authorized to obtain information and documents from the Company in accordance with the provisions of the relevant legislation | Limited to the purpose requested by the relevant private law persons within their legal authority |
9. Closed Circuit Camera (CCTV) Usage
In the building where Altoholding Company's company headquarters is located, your visual and audio data may be obtained through a closed circuit camera system for purposes such as preventing criminal behavior, ensuring the security of the building, its surroundings, tools and equipment, visitors and employees, and may be stored only for the period required for these purposes. All necessary technical and administrative measures will be taken by the Company to ensure the security of personal data obtained through the closed circuit camera system.
10. Website Usage
On the websites owned and managed by the Company, to ensure that visitors to these sites carry out their visits in accordance with their purpose of visit, to provide them with customized content, to provide social media features, to provide relevant
16
The internet movements of visitors within the website are recorded in order to facilitate the visit by remembering them in case they visit the website again.
The Company may refrain from using the cookies it uses on the websites it owns and manages, change their types or functions, or add new cookies. The Company will process the personal data obtained through such cookies in accordance with the KVKK and the terms and conditions of this Policy.
Detailed explanations regarding the protection and processing of personal data in terms of the websites in question are included in the "Privacy Policy" texts of the relevant websites.
11. Review
This Policy will be reviewed by the Company's PDP Committee at least once a year and updated if necessary. The Company's PDP Senior Committee is authorized and responsible for the entry into force, amendment, execution and abrogation of this Policy.
12. Definitions
The definitions of the terms used in the Policy are given below:
Open Consent
:
Consent on a specific issue, based on information and freely given.
| Anonymization : | Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching it with other data. |
| Regulation on the Processing of Personal Health Data : | Regulation on Processing and Ensuring the Privacy of Personal Health Data published in the Official Gazette dated October 20, 2016 and numbered 29863 |
Personal Health Data
Personal Data Data Subject
:
: :
Any health information relating to an identified or identifiable natural person.
Any information relating to an identified or identifiable natural person.
The natural person whose personal data is processed. For example; Customers and employees.
17
| Processing of Personal Data : | Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. |
| KVKK : | Law on the Protection of Personal Data dated March 24, 2016 and numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677. |
Board : Institution :
Politics :
Altoholding Company / : Company
Altoholding Company Business Partners : Altoholding Company Suppliers:
Personal Data Protection Board Personal Data Protection Authority
Altoholding A.Ş.
Data Protection and Processing Policy
Altoholding A.Ş.
Parties with whom Altoholding Company establishes business partnerships for various purposes while conducting its commercial activities. Altoholding on a contractual basis
To the Company parties providing services.
| Sensitive Personal Data : | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
| Constitution of the Republic of Turkey : | Constitution of the Republic of Turkey dated November 7, 1982 and numbered 2709, published in the Official Gazette dated November 9, 1982 and numbered 17863. |
| Turkish Penal Code: | Turkish Penal Code dated September 26, 2004 and numbered 5237; published in the Official Gazette dated October 12, 2004 and numbered 25611. |
| Data Controller : | The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically. |
18
