Law On The Protection Of Personal Data

1. PURPOSE

Establishment of the procedures and principles to be followed in the protection and processing of the personal data in compliance with “the Personal Data Protection Law” and the relevant sub-legal regulations in ADO Group companies.

2. BASIC PRINCIPLES

  • 2.1. In the protection and processing of the personal data, the provisions set forth in this policy, “the Personal Data Protection Law” and the other legal regulations issued depending on this law are taken as basis.
  • 2.2. The personal data covers all kinds of information belonging to the real person whose identity is definite or determinable. The special quality personal data is information about race, ethnical origin, political beliefs, philosophical beliefs, religion and faith, sects or other beliefs, clothing and attire, membership to foundations, unions or societies, health, sex life, criminal conviction and sentence, security measures as well as biometric and genetic data.
  • 2.3. The personal data is stored in the locations/departments and systems designated by the Board as specified in “the Authorization List”. The personal data is processed, accessed and used only by the authorized persons. (FR.YNT.01.001)
  • 2.4. The protection of the personal data is a constitutional right and is among the priorities of our Company. For this purpsoe, for the management of the processes for the protection of the personal data, the follow-up of the developments and the analysis of the developments, “the Personal Data Protection Committee” (the Committee) was established within the body of our Company. The working principles and procedures of the committee are detailed under the heading 3.1.3. of this policy
  • 2.5. The necessary procedures have been established, the disclosure forms have been issued, the non-disclosure agreement have been signed, the job definitions have been revised and all of the necessary administrative and technical measures have been taken for the protection of the personal data within the body of the Company for the implementation of the issues set forth in this policy.
  • 2.6. “The special quality personal data” belonging to the ADO Group employees, the suppliers, customers, potential customers with whom the ADO is in business relationship and the visitors is protected and processed by our Company within the framework of the principles specified in “the Special Quality Personal Data Protection and Processing Procedure”.(PR.YNT.00.001)
  • 2.7. The personal data may not be processed, transferred to any other person/system, used and submitted without the explicit consent of the data owner. The explicit consent of the person is obtained expressly and based on information and free will.
  • 2.8. For the persons who record and share the personal data in contrary to the principles set forth in this policy and the legal legislation and/or who do not delete the personal data when necessary, the issues specified in the Articles 135-140 of the Turkish Criminal Law and also the decisions of the Disciplinary Board of the Company are applied
  • 2.9. All ADO employees are responsible in person for the protection and security of the personal data.
  • 2.10. Periodical inspection is made as specified in “the Inspection Systems Activities Procedure” by the Internal Inspection Department with regard to the compliance with the Personal Data Protection Law, the other relevant legal regulations and this policy.(PR.YNT.01.002)

3. APPLICATION PRINCIPLES

  • 3.1. ENSURING THE CONFIDENTIALITY AND SECURITY OF THE PERSONAL DATA
    Our Company has taken all technical and administrative measures set forth under the sub-headings 3.1.1. and 3.1.2. in this policy for ensuring the suitable security level in order to prevent the personal data from being processed in contrary to the law and prevent the access to the data and to ensure the protection of the data properly in compliance with the Personal Data Protection Law and it performs the necessary controls and inspections within this scope.
    • 3.1.1. Technical Measures
      • 3.1.1.1. In our Company, all kinds of technical security measures have been taken for the purpose of protecting the personal data and processing it securely and the top level protection is ensured against the potential risks. All technical measures taken are fulfilled by the Information Technologies Department.
      • 3.1.1.2. In order not to be exposed to the attacks from both inside and outside in the information technologies systems including personal data, the cyber crimes or the malicious software, the actions specified below are taken:
        • The records of the transaction movements of all users in the software including personal data are kept regularly. (Log records)
        • The security of the access to the areas where the personal data is stored is had tested by an independent expert institution by means of the penetration tests performed at a yearly period and as a result of such tests, the nonconformities and/or gaps, if any, are eliminated.
        • The security software messages, the access control records and the other reporting tools are continuously controlled.
        • In case of the occurrence of undesired events such as collapse of the information system, malicious software, deactivation attack, deficient or faulty data entry, violations distorting the confidentiality and integrity, misuse of the information system, the evidences are collected and kept securely
        • If security problems are found out, a report is immediately sent to the senior management and to the consultant company which is a party to the process.
        • The physical environments where the servers containing the personal data are present are protected against external threats (fire, earthquake etc.) by appropriate methods and the entrances/exits are recorded by cameras.
        • The information e-mails are frequently sent to the personnel on the security gaps and weaknesses in the system and/or services.
      • 3.1.1.3. The software and virus protection systems including the firewalls are used.
      • 3.1.1.4. For the personal data to be stored in secure environments, the systems suitable for the technological developments are used. In the technical measures taken for the storage areas, the issues which constitute risk are periodically evaluated and the necessary technological solutions are produced.
      • 3.1.1.5. The personal data in the electronic environment is accessed as specified in “the Access Authorization List”. (FR.YNT.01.016)
      • 3.1.1.6. The access authorization controls are always peformed on the systems which provide the opportunity to access to the personal data.
      • 3.1.1.7. It is ensured that the data supervisors periodically back up the personal data against the risk for the personal data to be damaged, destroyed, stolen or lost for any reason.
      • 3.1.1.8. The expert persons with the suicient technical knowledge on the data processing are employed.
      • 3.1.1.9. The technological developments are closely followed up, then the existing systems are updated and the necessary measures are taken.
  • 3.1.2. Administrative Measures
    • 3.1.2.1. For the purpose of protecting and processing the personal data in the most secure manner, all kinds of administrative measures are taken within the body of the Company.
    • 3.1.2.2. In the case of the possibility of occurrence and the occurrence of the risks that might arise with respect to protecting and ensuring the security of the personal data, the losses that they will cause are determined properly and the appropriate measures are taken. While determining the risks and threats, the following issues are taken into account:
      • Whether the personal data is special quality data,
      • At which degree the personal data requires confidentiality level as required by their nature,
      • Quality and quantity of the damage that might arise for the relevant person in case of the security violation.
    • 3.1.2.3. After the identification of the risks and threats, all alternative control systems and solution manners for reducing the risks, eliminating the risks etc. are evaluted by observing the principles of cost, applicability and usefulness and the risk processing options are applied in accordance with “the Risk Management Procedure”.(PR.YNT.01.003)
    • 3.1.2.4. The necessary internal control systems are established on a business unit basis with regard to the protection and processing of the personal data.
    • 3.1.2.5. The Company personnel is continuously given training and informed on the compliance with the Personal Data Protection Law, the access to the personal data in contrary to the law etc.
    • 3.1.2.6. When it becomes necessary to purchase service from outside due to the administrative or technical requirements on the processing, storage and protection of the personal data by our Company, the provisions regarding that the necessary security measures will be taken for the protection of the data with the party to which the personal data is transferred and it will be ensured that these measures are complied with in its own institutions are included in the contracts and this contract is signed for the security and protection of the personal data pursuant to the Personal Data Protection Law.
    • 3.1.2.7. The documents which include the Personal Data Protection issues (procedures, contracts, letters of commitment, specifications etc.) include the obligations not to process, disclose and use the personal data except for this policy and the Personal Data Protection Law.
    • 3.1.2.8. The information is given and the necessary measures are taken with regard to the issues that the employees will not disclose the personal data in which they are involved and/or which they have learnt to third parties, will not use the personal data for any purpose other than the processing purpose, this obligation will continue also after their resignation and the personal data will be stored in secure environments
    • 3.1.2.9. The personal data in the physical environment is accessed as specified in “the Access Authorization List”. (FR.YNT.01.016)
  • 3.1.3. Activities of the Personal Data Protection Committee
  • 3.1.3.1. In order to manage the works regarding the protection of the personal data within the body of the Company “the Personal Data Protection Committee” was established. The committee members are composed of the Chairman of the Board of Directors, Director of the Presidency Oice, Legal Consultant, Human Resources/Administrative Aairs Director and Inspection Systems Director. The president of the committee is the Legal Consultant. At the meetings in which the Chairman of the Board of Directors participates, the Chairman of the Board of Directors presides the meeting.
  • 3.1.3.2. In the Committee, the decisions are taken by the majority of votes. In case of equality, the decision of the President of the Committee is taken as basis. The Inspection Systems Director has no voting right
  • 3.1.3.3. The Committee meets in a monthly periods. Apart from this, if requested by any of the committee members and/or in case of any extraordinary circumstance, the Committee can meet immediately.
  • 3.1.3.4.The duties of the Committee are specified as follows:
    • To determine the need for the documentation in relation to the protection and processing of the personal data and to make the modifications or carry out the revision works when necessary,
    • To determine the issues required to be performed for ensuring the compliance with the Personal Data Protection Law and the relevant legislation and to submit them to the senior management for approval,
    • To decide the application of the policies regarding the protection and processing of the personal data and how the inspections will be performed and to submit the issues regarding making assignment within the company and ensuring the coordination within this framework to the senior management for approval,
    • To increase the awareness within the Company and in the institutions with which ADO Group is in business relationship with regard to the protection and processing of the personal data,
    • To determine the risks that might arise in the personal data processing activities and to ensure that the necessary measures are taken; to submit the improvement recommendations to the senior management for approval,
    • To ensure that trainings are organized for ensuring that the personal data owners are informed about the data processing activities and their legal rights in the protection and transfer of the personal data and the application of the policies,
    • To receive the requests of the personal data owners on the issues such as information request, data deletion and data storage and to forward them to the Senior Management,
    • To follow up the developments and regulations on the protection of the personal data, which are notified and published by the Personal Data Protection Board associated to the Prime Ministry; to determine the actions required to be taken within the Company in compliance with these developments and regulations and to forward them to the Senior Management,
    • To notify the problems that occur with regard to the protection of the personal data to the Personal Data Protection Board and to take actions in line with the feedbacks received,
    • To execute the other duties to be assigned by the Chairman of the Board of Directors with regard to the protection of the personal data.
  • 3.2. PROCESSING OF THE PERSONAL DATA
    • 3.2.1. Procedures for the Processing of the Personal Data
      • 3.2.1.1. As specified in the Article 3 of the Personal Data Protection Law, all kinds of processes performed on the data such as obtaining, recording, storing, maintaining, changing, reorganizing, diclosing, transferring, taking over, making available, classifying the personal data or preventing the use of the personal data by wholly or partially automatic means or non-automatic means on condition that they are a part of any data recording system are included in the scope of the processing of the personal data.
      • 3.2.1.2. Our Company acts in compliance with the principles introduced with the legal regulations (Article 20 of the Constitutional Law and Article 4 of the Personal Data Protection Law) and the rules of trust and integrity in the processing of the personal data. Within this scope, the personal data is processed for the purposes of;
        • providing personnel, carrying out the human resources operations, (processes of issuing the personal files and payrolls, carrier management, training activities etc.), fulfilling the obligations within the framework of the occupational health and safety (health data) and taking the necessary measures in compliance with this policy in line with the execution of the human resources policies of our Company
        • carrying out the sale (demand, order, budgeting, contract) and purchase operations (proposal, evaluation etc.), accounting and finance operations, quality processes, communication and social responsibility activities which are carried out by our Company in line with the determination and application of the commercial and business strategies of our Company with the legal/real persons,
        • carrying out the activities with the public institutions and the institutions having public legal personality, which are authorized to obtain data (information, document etc.) from our Company in accordance with the provisions of the relevant legislation
        • carrying out the activities mentioned under the article 3 in the disclosure forms of Ado Group on condition that they will not be limited with the above items.
      • 3.2.1.3. The personal data processing activities are revealed by analyzing it separately on the basis of each process executed/department within the body of ADO
      • 3.2.1.4. With this policy, the following basic principles have been adopted in the processing of the personal data:
        • Compliance with the law and rules of integrity,
        • Ensuring that the personal data is correct and up-to-date,
        • Processing the personal data for specific, clear and legitimate purposes,
        • Ensuring the personal data is prudent, restricted and proportional with the processing purpose
        • Keeping the personal data for such period as stipulated in the relevant legislation or as necessary for their processing purpose,
        • Disclosure and information to the data owners before the processing of the personal data,
        • Establishing the necessary systems for the personal data owners to use their rights,
        • Taking the necessary measures in the protection of the personal data,
        • Acting in compliance with the relevant legislation and the regulations of the Personal Data Protection Board in the transfer of the personal data to the third persons in line with the requirements of the processing purpose
        • Showing the due and diligent care in the processing and protection of the special quality personal data
      • 3.2.1.5. The personal data may not be processed without the express consent of the relevant person. In case of the presence of any of the terms specified below, the personal data can be processed without requiring the express consent of the relevant person:
        • It is explicitly stipulated in the laws,
        • It is strictly required for the protection of the life or physical body integrity of the person who may not disclose his consent due to actual impossibility or whose consent is not accepted as valid and applicable or someone else,
        • The corporation is invalid in commercial terms, its recognizability is lost,
        • Provided that it is directly related to the execution or performance of a contract, the processing of the personal data of the parties to the contract is strictly necessary
        • The personal data is obligatory for the Data Supervisor to be able to fulfill its legal liability,
        • The personal data has been publicized by the relevant person,
        • The data processing is mandatory for the establishment, use or protection of a right,
        • The personal data transfer is mandatory for our Company to fulfill its legal liability,
        • The data processing is obligatory for the legitimate interests of the Data Supervisor without prejudice to the fundamental rights and freedoms of the personal data owner.
      • 3.2.1.6. Within the scope of the Personal Data Protection Law and the relevant regulations, the trainings are given regularly on the data security, the non-disclosure agreements are signed, the authorization scope and period of the users who have the authorization to access to the data are clearly identified and the authorization controls are made periodically for the personnel of ADO with regard to the issues on the processig of the personal data. The authorizations of the personnel whose duty is changed or who quits the job are eliminated simultaneously.
    • 3.2.2. Processing of the Special Quality Personal Data
      • 3.2.2.1. In accordance with the 1st paragraph of the Article 6 of the Personal Data Protection Law, the special quality personal data is composed of the information about race, ethnical origin, political beliefs, philosophical beliefs, religion and faith, sects or other beliefs, clothing and attire, membership to foundations, unions or societies, health, sex life, criminal conviction and sentence, security measures as well as biometric and genetic data
      • 3.2.2.2 The personal data which is determined as “special quality” by our Company “may not be processed without the explicit consent of the r elevant person” as specified in the 2nd paragraph of the Article 6 of the Personal Data Protection Law. However, as specified in the 3rd paragraph of the same article (Article 6), the personal data other than health and sexual life can be processed without requiring the explicit consent of the relevant person in the cases stipulated in the laws. The personal data regarding health and sexual life, however, can be processed without requiring the explicit consent of the relevant person only by the persons who are under the obligation to keep secret or the authorized institutions and organizations for the purpose of protecting the public health, executing the protective medicine, medical diagnosis, treatment and care services and planning and managing the health services and theire finance.
  • 3.3. TRANSFER OF THE PERSONAL DATA
    • 3.3.1. As a general rule, the personal data may not be transferred without the explicit consent of the relevant person. However, in accordance with the Article 8 of the Personal Data Protection Law, the personal data can be transferred without requiring the explicit consent, provided that there is the suicient protection, if the requirements set forth in the 2nd paragraph of the Article 5 of the Personal Data Protection Law (the article 3.2.1.5. of this policy) and the 3rd paragraph of the Article 6 (the article 3.2.2.2. of this policy) are met.
    • 3.3.2. Also, in the transfer of the personal data to abroad, the issues specified in the article 3.3.1. are applicable and also the personal data can be t ransferred to abroad without requiring the explicit consent of the relevant person, provided that;
      • there is suicient protection,
      • in the absence of suicient protection, the data supervisors in Turkey and the relevant foreign country commit in written a suicient protection and there is the permission of the Board in the foreign country to which the personal data will be transferred in case of the presence of the items (specified below) in the 2nd paragraph of the Article 9 of the Personal Data Protection Law
  • 3.4. DELETION, DESTRUCTION AND ANONYMIZATION OF THE PERSONAL DATA
    When the processing purpose of the personal data has ended, when the storage periods determined by the relevant legislation and/or our Company have expired, when requested by the personal data owner or on its own motion, the personal data is deleted, destructed or anonymized by our Company. Within this scope, our Company fulfills its relevant obligations in accordance with the principles specified in the Article 7 of the Personal Data Protection Law and “the Regulation on the Deletion, Destruction and Anonymization of the Personal Data”.
    • 3.4.1. The process to be followed in the deletion of the personal data is specified as follows:
      • Determination of the personal data to be subjected to the deletion procedure,
      • Determination of the relevant users for each personal data by using the access authorization and control matrix or a similar system,
      • Determination of the authorizations and methods of the relevant users such as access, recovery, reuse,
      • Closure and elimination of the authorizations and methods of the relevant users such as access, recovery, reuse within the scope of the personal data.
    • 3.4.2. The methods to be followed in the destruction of the personal data are specified as follows:
      • Physical Destruction: Personal data can be processed also by non-electronic/automatic ways, provided that it is a part of any data recording system. When this type of data is deleted/destructed, the personal data is physically destructed in such a way that it cannot be used subsequently
      • • Deletion and Destruction in Server (Cloud) Environment: This means the methods regarding the deletion of the data from the relevant software in a manner that it will not be able to be recovered by specific persons or in any way while the data that is processed by wholly or partially electronic/automatic ways and kept in digital environments is deleted/destructed.
    • 3.4.3. The processes of anonymizing the personal data are specified as follows:
      • Masking: Data masking is the extraction of the basic determinant information of the personal data from the data set.
      • Aggregation: Data aggregation method is to aggregate large amount of data and make the personal data incapable of being associated with any other data
      • Data Derivation: A content that is more general than the contents of the personal data is created and it is ensured that the personal data is made incapable of being associated with anyone.
      • Data Shuffling: Breaking the connection between the values and the persons by mixing the values in the personal data set.
  • 3.5. PROTECTION OF THE PERSONAL DATA AND ACCESS
    Our Company acts in compliance with the period specified for keeping the personal data as specified in the Personal Data Protection Law or in line with the purpose for which they are processed and takes into account the legal and penal timeout periods within this scope. If the period is expired or the reasons requiring the processing of the personal data disappear, the personal data is deleted, destructed or anonymized by our Company.
    • 3.5.1. Protection of the Personal Data in Paper Environment
      • The personal data of the personnel is kept in the personal files in the paper environment.
      • The personal files can be accessed only by the personnel of the Human Resources Department.
      • The personal files are classified in the “Hidden” risk class.
      • The personal files can be achieved as “only the personnel working in the relevant department can access”.
      • The access of the persons who are not authorized to access to the personal files is permitted within the scope of the approval of the Chairman of the Financial and Administrative Aairs Group. The personal data is accessed in the custody of the authorized personnel.
      • The access security of the “Personal” and “Medical” files is under the responsibility of the Human Resources and Administrative Aairs Department.
      • In the determination of the unauthorized access cases, the action is taken in line with “the Disciplinary Procedure”. (PR.MII.02.001)
    • 3.5.2. Protection of the Personal Data in Digital Environment
      • The digital environments where the personal data is stored can be accessed only by the authorized personnel.
      • The accesses are kept under control with the passwords specific to persons and the accesses are recorded with the log records.
      • There are security systems such as firewall, virus programs for the protection of the data in the digital environment.
      • In taking all measures related to the protection of the personal data in the digital environment and the information security, the Manager of the Information Technologies Department is responsible within the scope of the company’s “Information Security” applications.
  • 3.6. RIGHTS AND OBLIGATIONS
    • 3.6.1. Rights of the Data Owner
      • 3.6.1.1. The personal data owner has the right to learn the issues specified below in relation to himself by applying to the Data Supervisor.
        • Learning whether the personal data has been processed or not,
        • Requesting the relevant information if the personal data has been processed
        • Learning the purpose of processing the personal data and whether the personal data is used as suitable for the purpose,
        • Knowing the third persons to whom the personal data has been transferred in the country or in abroad,
        • Requesting the correction of the personal data if the personal data has been processed deficiently or incorrectly and request the notification of the procedure that is performed within this scope to the third persons to whom the personal data has been transferred,
        • Requesting the deletion or destruction of the personal data if the reasons requiring the processing of the personal data disappear although the personal data has been processed in compliance with the provisions of the Law and the other relevant laws and requesting the notification of the procedures performed within this scope to the third persons to whom the personal data has been transferred
        • Objecting to the occurrence of a result against the person himself by analyzing the personal data exclusively via automatic systems,
        • Requesting the elimination of the damage if they are exposed to damage due to the processing of the personal data in contrary to the Law.
    • 3.6.2. Rights and Obligations of the Data Supervisor
      • 3.6.2.1. The Data Supervisor is obliged to take the necessary technical and administrative measures for ensuring the appropriate security level in order to prevent the personal data from being processed and/or accessed in contrary to the law, to ensure the protection of the personal data and to prevent the potential data losses that might occur in the systems that it is responsible for.
      • 3.6.2.2. The Data Supervisor and the persons who process the data do not disclose the personal data that they have learnt/obtained to another person in contradiction to the provisions of “the Personal Data Protection Law” and may not use the personal data for any purpose other than the processing purpose. This obligation continues also after their resignation.
      • 3.6.2.3. If the processed personal data is obtained by others by illegal ways, the Data Supervisor shares the situation with the Committee simultaneously and then forwards it to the Personal Data Protection Board within the shortest period of time.
      • 3.6.2.4. The Data Supervisor is obliged to make disclosure/inform the personal data owner and is responsible for making and causing to be made inspection, keeping secret and notifying the violations
      • 3.6.2.5. Our company makes disclosures to the personal data owners and give the necessary information if the personal data owners request information in compliance with the Article 20 of the Constitutional Law and the Article 10 of the Personal Data Protection Law.
      • 3.6.2.6. The Data Supervisor gives information to the relevant parties with regard to;
        • the identity of the Data Supervisor and its representative, if any,
        • for which purpose the personal data will be processed,
        • to whom and for which purpose the processed personal data can be transferred,
        • the method and legal reason of collecting personal data,
        • their other rights mentioned in the Article 11 of the Personal Data Protection Law during obtaining the personal data.
  • 3.7. VIOLATION OF THE PERSONAL DATA
    • 3.7.1. If it is found out that the personal data has been obtained by others by illegal ways with regard to the compliance with the Personal Data Protection Law, the situation is notified to the Personal Data Protection Board by the authorized person specified in “the Significant Person Access List”.(FR.MII.05.003)
    • 3.7.2. In the case that the personal data is processed and shared in contrary to the law and is not deleted when necessary, the procedures are carried out by the Legal Consultancy Department pursuant to the Articles 135 and 140 of the Turkish Criminal Law.
    • 3.7.3. If the crime of violating the personal data is committed, the following legal sanctions are applied:
      • Any person who records the personal data in contrary to the law is given prison sentence from one year to three years.
      • Any person who gives the personal data to another person, disseminate the personal data or acquire the personal data in contrary to the law is given prison sentence from two years to four years
      • When those who are obliged to destruct the data in the system even though the periods determined by the laws have expired do not fulfill their duties, they are given prison sentence from one year to two years

4. DEFINITIONS

Personal Data: All kinds of information regarding the real person whose identity is definite or determinable.

Special Quality Personal Data: Information about race, ethnical origin, political beliefs, philosophical beliefs, religion and faith, sects or other beliefs, clothing and attire, membership to foundations, unions or societies, health, sex life, criminal conviction and sentence, security measures as well as biometric and genetic data.

Data Supervisor: Person who determines the processing purposes and means of the personal data and who is responsible for the establishment and management of the data recording system.

Anonymization of the Personal Data: Making the data incapable of being associated with any real person whose identity is definite or determinable by any means even by matching with other data

Data Processor: Person who processes the personal data on behalf of the data supervisor based on the authorization granted by the data supervisor

Data Recording System: Recording system in which the personal data is processed by being structured according to specific criteria.

Processing of the Personal Data: All kinds of processes performed on the data such as obtaining, recording, storing, maintaining, changing, reorganizing, diclosing, transferring, taking over, making available, classifying the personal data or preventing the use of the personal data by wholly or partially automatic means or non-automatic means on condition that they are a part of any data recording system.

You can access to the other definitions and abbreviations set forth in this document from ADO Glossary.

The security of your personal data is important for us, as Adopen Plastik ve Insaat Sanayi A.S. (ADOPEN), and we show maximum sensitivity for the protection of your personal data. With this awareness, we attach great importance to the processing and protection of all kinds of personal data belonging to all individuals associated with ADOPEN in compliance with the Personal Data Protection Law no 6698 in Turkey (the Law). Within the scope of this responsibility of us, we, in our capacity of “Responsible Institution for Data” as defined in the La, process your personal and special quality personal data (personal data) within the framework of the limits stipulated by the legal legislation as specified below.

This disclosure form has been issued in order to fulfil ADOPEN’s disclosure obligation for the employees, employee candidates and interns of ADOPEN under the relevant Law and it is aimed to inform on the protection of personal data. This disclosure form has been published in the intranet site, notice boards and oicial website of ADOPEN.

1. Responsible Institution for Data

Your personal data can processed by ADOPEN as the responsible institution for data pursuant to the Law No 6698 in Turkey.

2. Purpose of Processing Personal Data

Your personal data is processed by ADOPEN for the purposes of carrying out the processes related to recruitment and placement, internship application evaluation, leave of employment, new personnel request, company entry-exit follow-up, leave calculation, leave request, advance request, advance transactions, overtime notification, personal filing, personal rights (salary and fringe benefits) calculation, severance and notice pay calculation, internship transactions, rewarding, access request (data, location, system), access authorization, occupational health and safety follow-up, training request and evaluation, training activity, training plan, promotion-appointment-transfer and secondment, position and title definitions establishment, performance evaluation, health service provision and follow-up, transportation service, meal service, personal card identification, information security, information processing and recording, information technologies support service provision, system user identification, entry of the personal transaction data into the Company systems, follow-up of the internet access logs made over the Company computer, disciplinary procedure transactions, making the legal notifications of Is-Kur, law enforcement forces, court and occupational accident on the fulfilment of the legal obligations, visitor entry-exit follow-up, visitor acceptance procedures, internal audit, central control, examination and investigation activities, in-house announcement, production recording, quality control, R&D activities, maintenance and repair activities, sending to recycling, current card opening, changing and follow-up, governmental support and incentive applications, business travel and accommodation follow-up, business expense notification, monthly fuel oil usage notification, invoice follow-up, entry into invoice and dispatch note, purchase request, shipment procedures, dealer order entry, supplier selection, facility security, asset delivery/receipt, granting power of attorney

Your personal data can be processed as long as your business relationship with ADOPEN continues and, in any case, within the legal storage periods determined within the framework of the relevant Law. The detailed information on the purposes of the processing of your personal data by ADOPEN is set forth in “the Personal Data Protection and Processing Policy” (the Policy). This Policy has been published in the intranet site, notice boards and oicial website of ADOPEN.

3. To whom and for which purpose the Processed Personal Data can be transferred

Your personal data collected can be transferred to the authorized public institutions (Turkish Employment Agency/Is-Kur, Ministry of Labour and Social Security, Ministry of Internal Aairs, Personal Data Protection Agency etc.) and/or authorized private persons to the extent permitted and required by the provisions of the legal legislation for the purpose of performing the work processes mentioned under the title “2. Purpose of Processing Personal Data” in this disclosure form as limited within the framework of the terms for the transfer of personal data as specified in the Articles 8 and 9 of the Law and the Policy

4. Method and Legal Reasons for Collecting Personal Data

ADOPEN will process your personal data in line with the purposes specified in the Policy. If any change occurs in the purpose of the processing the personal data, also an express consent will be obtained.

While it may vary depending on the relationship with ADOPEN and you, your personal data is collected from you in order to carry out our activities with you by automatic or non-automatic methods with the Job Application Form, Contract of Employment, Information Security and Ethical Notification Protocol; the documentation delivered to ADOPEN at the stage of job application; the online job application form and internship application form available in the website; the communication methods and all kinds of communication channels including the correspondences carried out over the electronic e-mail addresses, cargo deliveries and information forms; the document channel available in our documentation system; electronic e-forms (EBA); and the information that you verbally transfer.

5. Rights of the Personal Data Owner

The personal data owners have the rights to;

a .learn whether the personal data has been processed or not,
b. request the relevant information if the personal data has been processed,
c. learn the purpose of processing the personal data and whether the personal data is used as suitable for the purpose,
d. know the third persons to whom the personal data has been transferred in the country or in abroad,
e. request the correction of the personal data if the personal data has been processed deficiently or incorrectly and request the notification of the procedure that is performed within this scope to the third persons to whom the personal data has been transferred,
f. request the deletion or destruction of the personal data if the reasons requiring the processing of the personal data disappear although the personal data has been processed in compliance with the provisions of the Law and the other relevant laws
g. request the notification of the procedures performed in the items “e” and “f” to the third persons to whom the personal data has been transferred,
h. object to the occurrence of a result against the person himself by analysing the personal data exclusively via automatic systems,
i. request the elimination of the damage if they are exposed to damage due to the processing of the personal data in contrary to the Law

from ADOPEN.

In order to use your rights specified in the Article 11 of the Law, you can forward your request to the address of adopen@hs02.kep.tr by filling in “the Personal Data Owner Application Form”. Your request is concluded within the shortest period of time according to its nature (within thirty days at maximum in any case). If the transaction constitutes a separate cost for ADOPEN, the fee specified in “the Communiqué on the Principles and Procedures for the Application to the Responsible Institution for Data” is collected. If the request is rejected, the reasons for the rejection are notified to the data owner in written or in electronic environment together with its justifications.

6. Storage Period

Your personal data will be recorded, processed, stored and transferred as long as the business relationship continues and within the legal storage periods determined within the framework of the relevant legal regulations in Turkey. If the legal storage period is expired, your personal data will be deleted, destructed or anonymiz

This “Personal Data Application Form” (the Form) has been issued in order the data owner to use his following rights set forth in the Article 11 of the Law under “the Personal Data Protection Law no 6698 in Turkey” (the Law).

a. Learning whether the personal data has been processed or not, b. Requesting the relevant information if the personal data has been processed, c. Learning the purpose of processing the personal data and whether the personal data is used as suitable for the purpose, d. Knowing the third persons to whom the personal data has been transferred in the country or in abroad, e. Requesting the correction of the personal data if the personal data has been processed deficiently or incorrectly and request the notification of the procedure that is performed within this scope to the third persons to whom the personal data has been transferred, f. Requesting the deletion or destruction of the personal data if the reasons requiring the processing of the personal data disappear although the personal data has been processed in compliance with the provisions of the Law and the other relevant laws, g. Requesting the notification of the procedures performed in the items “e” and “f” to the third persons to whom the personal data has been transferred, h. Objecting to the occurrence of a result against the person himself by analysing the personal data exclusively via automatic systems, i. Requesting the elimination of the damage if they are exposed to damage due to the processing of the personal data in contrary to the Law.

INFORMATION OF THE DATA OWNER WHO APPLIED

For the fulfilment of your request, you should fill in this form in a complete manner and so as to include accurate information and forward it to the address of -Organize Sanayi Bolgesi 2. Kisim Mah. 21. Cadde No:3, 07040 Dosemealti/Antalya- with wet signature or to the address of adopen@hs02.kep.tr. If the information regarding your requests that you forward within the scope of the form is not accurate, complete and up-to-date or an unauthorized application is made, Adopen Plastik ve Insaat Sanayi A.S. (ADOPEN) does not accept any responsibility. Your request is concluded within the shortest period of time (in any case, within thirty days at maximum) according to the quality of your request. If the transaction constitutes a separate cost for ADOPEN, the fee specified in “the Communiqué on the Procedures and Principles for the Application to the Responsible Institution for Data” is collected. If the request is rejected, the reasons for the rejection are notified in written or to the e-mail address that you state above together with its justifications. If additional information is needed within the scope of the evaluation of your request, you will be contacted.

DECLARATION OF THE APPLICANT

I kindly request that my application that I made to ADOPEN is evaluated pursuant to the Article 13 of the Law and information is given to me via the electronic mail address that I state above in line with the requests that I specify in this application form.

Click here to download the form for which you have personal data.