BENO PLASTIK AMBALAJ VE SAN.TIC. A. S. PROCESSING AND PROTECTION OF PERSONAL DATA POLICY
1.1. In general
Ensuring the confidentiality and security of your personal data Beno Plastik Ambalaj ve San. Tic. A. S. (‘Company’) is among our most important priorities.
The process and targeted purpose, managed by this Personal Data Processing and Protection Policy (“Policy”) and other written policies within our Company, regarding the processing and protection of your personal data;
It is the legal processing and protection of the personal data of the persons whose personal data are processed ("Personal Data Owners") and informing the Personal Data Owners.
1.2. Purpose and Scope of the Policy
The main purpose of this Policy is to make explanations about the personal data processing activities carried out by our Company in accordance with the law and the systems adopted for the protection of personal data and to inform the Personal Data Owners in this context. The scope of this policy is related to all personal data of Personal Data Owners that are processed automatically or non-automatically, provided that they are part of any data recording system.
1.3. Implementation of the Policy and Related Legislation
This Policy has been regulated within the framework of the principles set forth by the relevant legislation. Our company accepts that in case of inconsistency between the legislation in force and this Policy, the applicable legislation will find an area of application.
DEFINITIONS AND ABBREVIATIONS
-Explicit consent means freely given, specific and informed consent,
-Anonymization means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,
-Constitution: T.C. Constitution dated 1982.
-Employee: Beno Plastik Ambalaj ve San. Tic. A. S. employees.
-Employee Candidate: Beno Plastik Ambalaj ve San. Tic. A. S. has applied for a job by any means or has a CV and relevant
-Personal data means any information relating to an identified or identifiable natural person,
-Processing of personal data means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
-Board means the Personal Data Protection Board,
-Authority means the Personal Data Protection Authority,
-Institution: Personal Data Protection Authority
-KVKK: Law on Protection of Personal Data No. 6698
Special categories of personal data: Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data
• Policy: Beno Plastik Ambalaj ve San. Tic. A. S. Personal Data Processing and Protection Policy.
• Application Form to Data Controller: The application form that data owners will use when using their applications regarding their rights in Article 11 of the KVKK.
Periodic Destruction Process: Despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by the data controller, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist.
-Data Processor means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,
-Data filing system means the system where personal data are processed by being structured according to specific criteria,
-Data Controller means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.
3. PRINCIPLES OF PROCESSING PERSONAL DATA
3.1. Processing of Personal Data in Compliance with the Principles Established in the Legislation
Lawfulness and Conscionability
Our company adopts the principle of complying with the law and the rules of honesty in all transactions to be carried out on personal data and informs the personal data owners about the purpose of use of the personal data collected by adopting the principle of transparency.
Ensuring personal data is being accurate and kept up to date where necessary
Our company has a system and process to ensure the accuracy and up-to-dateness of the personal data it processes while processing personal data. In this context, personal data owners can make it possible to keep their personal data constantly accurate and up-to-date by applying to our company.
Being processed for specified, explicit and legitimate purposes
Our company clearly states the purpose of processing personal data within legitimate and legal limits.
Being relevant, limited and proportionate to the purposes for which they are processed
Our company processes personal data within the scope of the purposes related to its field of activity and necessary for the conduct of its business. In this context, it avoids processing personal data that is not related to the realization of the purpose and is not needed now or in the future while carrying out data processing activities.
Our company stored personal data for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.
3.2. Processing of Personal Data Based on and Limited to One or More of the Personal Data Processing Conditions specified in Article 5 of the KVKK
Our company processes personal data only on the basis of the explicit consent of the person concerned or without explicit consent in cases where explicit consent is not required in the law.
personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:
a) It is expressly provided for by the laws.
b) any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
c) Processing of personal data of the parties of a contract is necessary if it is directly related to the establishment or performance of the contract.
d) It is necessary for compliance with a legal obligation to which the data controller is subject.
e) Personal data have been made public by the data subject himself/herself.
f) Data processing is necessary for the establishment, exercise, or protection of any right.
g) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
3.3. Processing of Special Categories of Personal Data
Personal data determined as "special categories" by KVKK due to the risk of causing victimization or discrimination of individuals when processed unlawfully, has been requested to be handled separately in this policy due to the sensitivity of our Company to such personal data. By our company; Special categories of personal data can be processed in the following cases if the personal data owner does not consent, provided that adequate measures to be determined by the Board are taken.
-Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
3.4. Transfer of Personal Data
Your personal data can be transferred to the companies from which the service is received, to our other organizations, supervisory organizations within the framework of audit activities, our shareholders, our group companies, legally authorized public institutions and organizations, our suppliers and business partners, our foreign legal entity partners, cloud service for storage and backup, to the third parties to whom the service is provided and/or abroad, within the framework of the personal data processing conditions and purposes specified in Article 8 and Article 9 of the KVKK in order to fulfill the purposes specified in this policy.
4. PRINCIPLES ON THE PROTECTION OF PERSONAL DATA
4.1. Technical and Administrative Measures Taken for Ensuring the Legal Processing of Personal Data, Ensuring its Protection and Preventing Unlawful Access to Personal Data
4.1.1. Technical Measures
The main technical measures taken by our company to ensure that personal data are processed in accordance with the law, to protect them and to prevent unlawful access to personal data are as follows:
• Network security and application security are provided.
• Closed system network is used for personal data transfers via network.
• Key management is implemented.
• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• The security of personal data stored in the cloud is ensured.
• An authorization matrix has been created for the employees.
• Access logs are kept regularly.
• Data masking is applied when necessary.
• The authorizations of employees who have a change in duty or quit their job in this field are removed.
• Current anti-virus systems are used.
• Firewalls are used.
• Extra security measures are taken for personal data transferred via paper and related Personal data security problems are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• The security of environments containing personal data is ensured.
• Personal data is reduced as much as possible.
• Personal data is backed up and the security of the backed up personal data is also ensured.
• User account management and authorization control system is implemented and these are also followed.
• In-house periodic and/or random audits are conducted and made.
• Log records are kept without user intervention.
• Existing risks and threats have been identified.
• If sensitive personal data is to be sent via e-mail, it must be encrypted and
• It is sent using KEP or corporate mail account.
• Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
• Intrusion detection and prevention systems are used.
• Penetration test is applied.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Data of special persons transferred in portable memory, CD, DVD media are encrypted and transferred.
• Data loss prevention software is used.
4.1.2. Administrative Measures
The main administrative measures taken by our company to ensure that personal data are processed in accordance with the law, to ensure their preservation and to prevent unlawful access to personal data are as follows:
• There are disciplinary regulations that include data security provisions for employees.
• Training and awareness activities are carried out periodically for employees on data security.
• Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
• Documents are sent in confidential document format.
• Personal data security policies and procedures have been determined.
• Protocols and procedures for special quality personal data security have been determined and implemented.
• Data processing service providers are periodically audited on data security.
• Awareness of data processing service providers on data security is ensured.
• Our employees are informed and trained on the law of protection of personal data and the processing of personal data in accordance with the law.
• With the contracts and documents governing the legal relationship between our company and employees, with the exception of our instructions and the exceptions brought by the law, records that impose the obligation not to process, disclose or use personal data are set, and the awareness of the employees on this issue is increased.
-Awareness is created and implemented in the relevant business units in order to meet the legal compliance requirements determined on the basis of our business units. The necessary administrative measures to ensure the supervision and continuity of the implementation of these issues are implemented with internal policies and trainings.
• Access to personal data and authorization processes are designed and implemented in our company in accordance with business unit-based legal compliance requirements.
• Provisions are added to the contracts signed by our company with third parties to whom personal data are transferred in accordance with the law, stating that necessary security measures will be taken to protect the transferred personal data and that these measures will be complied with in their own establishments.
4.2.Protection of special categories of personal data
Personal data, which is determined by our company as a special categoreies of personal data with KVKK and processed in accordance with the law, are protected with sensitivity. In this context, the technical and administrative measures taken by our company for the protection of personal data are carefully implemented in terms of the protection of special categories of personal data.
5. APPLICATION OF THE DATA SUBJECT TO THE DATA SUBJECT, OUR COMMUNICATION CHANNELS AND THE EVALUATION PROCESS OF THE APPLICATION
5.1. Subject of Application
Our company attaches great importance and value to the rights of personal data owners and we enable them to easily exercise these rights. For this purpose, an Application form to Data Controller, where Personal Data Owners can easily submit their requests, has been prepared and published on our website.
Each person has the rights by making an application to our Company;
-to learn whether his/her personal data are processed or not,
- to demand for information as to if his/her personal data have been processed,
- to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,
- to know the third parties to whom his personal data are transferred in country or abroad,
- to request the rectification of the incomplete or inaccurate data, if any,
- to request the erasure or destruction of his/her personal data under the conditions referred to in KVKK 7
-to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,
- to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
- to claim compensation for the damage arising from the unlawful processing of his/her personal data.
5.2. Application Method and Address
Our communication channels and method in which the above-mentioned rights will be used,
It is available on our website at www.benoplast.com under the name of the Application Form to the Data Controller.
5.3. Post Application Process
Applications submitted to us are answered within 30 (thirty) days at the latest from the date of receipt of the request, depending on the nature of the request.
5.4. Application Fee
Applications are made free of charge as a rule. However, if the transaction requested by the personal data owner requires an additional cost, the directions determined by the Board will be charged by our Company.
6. ENLIGHTENING AND INFORMING THE PERSONAL DATA OWNERS
Our company, in accordance with the regulation of Article 10 of the KVKK, is to enlighten the personal data owners with this Policy regarding the process of obtaining personal data through the Clarification texts and other texts which are easily accessible on our website
7. PERSONAL DATA STORAGE PERIOD
Our company keeps personal data for the period specified in these legislations, if it is foreseen in the relevant legislation. If the purpose of processing personal data has ended and the storage period determined by the relevant legislation and the company has come to an end, personal data can be stored only to provide evidence in possible legal disputes or to assert the relevant right related to personal data. In the establishment of the periods herein, the statute of limitations for asserting the aforementioned right is taken as basis. In this case, personal data is not accessed for any other purpose. Personal data is destroyed after the expiry of the said period.
8. PERSONAL DATA PROCESSING ACTIVITIES IN OUR BUILDINGS AND FACILITIES
8.1. Monitoring with Camera at Building and Facility Entrances and Inside
Personal data processing activities are carried out by our Company to ensure the security of our customers, visitors, employees, people we serve and to prevent crime and to monitor the entrance/exits with security cameras placed in the building and facility where we perform these services.
8.2. Informing about the Monitoring Activity with a Camera
Personal Data Owners are informed by our company in accordance with Article 10 of the KVKK; it is aimed to prevent the fundamental rights and freedoms of Personal Data owners from being damaged and to provide transparency. For the monitoring activity with camera, our company illuminates on its website both with this Policy (Online Policy) and with a notification letter stating that monitoring will be made at the entrances of the areas where monitoring is performed.
8.3. Personal Data Processing Activities with Call Center Services
If you contact our call center, we process your personal data for the purpose of receiving, evaluating and finalizing your questions, requests, complaints and suggestions and ensuring customer satisfaction.