1.Introduction
1.1. Purpose of the Policy
Within the scope of the Law No. 6698 on the Protection of Personal Data (“Law”)
As M.İ.K.S.T.A. PASLANMAZ ÇELİK HASTANE DONANIMLARI MUTFAK MAKİNA MEDİKAL CİHAZLAR İMALATI İNŞAAT SANAYİ VE TİCARET LTD. ŞTİ. (hereinafter referred to as “Company” or “MİKSTA”), hereby this Personal Data Processing and Protection Policy (“Policy”) is presented to your information and attention in order to inform third parties in accordance with Article 10 of the Law; to inform the administrative and technical measures to be implemented within the scope of processing and protection of personal data.
1.2 Scope
The policy determines the conditions for the processing of personal data and sets out the principles adopted by the Company in the processing of personal data. In this respect, the Policy covers all personal data processing activities carried out by the Company within the scope of the Law, all the processed personal data and the owners of this data.
The company reserves the right to make changes in the Policy in line with the legal regulations. You can access the current version of the Policy at the Company’s website …………………….
This Policy has entered into force on ……………………….
1.3 Definitions
| Express Consent | Consent about a specific subject based on being informed and which is expressed in free will. |
| Anonymization | Making data which is previously associated with a person, incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
| Future Employe | Real persons who do not work within the Company but who are in candidate status. |
| Personal Information | All types of information related to the identified or identifiable real person. |
| Data Subject | The natural person whose personal data is processed. |
| Processing of personal data | All kinds of processes performed on personal data including obtaining, recording, storing, keeping, changing, re-arranging, disclosure, transmission, acquisition, making available, classification or prevention of use, in whole or in part, automatically or in non-automatic ways provided that being part of any data recording system. |
| Law | Law on the Protection of Personal Data numbered 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677. |
| Sensitive Personal Data | Data on race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or syndicates, health, sexual life, criminal conviction and security measures, and biometric and genetic data. |
| Policy | Personal Data Processing and Protection Policy |
| Company/Firm | M.İ.K.S.T.A. PASLANMAZ ÇELİK HASTANE DONANIMLARI MUTFAK MAKİNA MEDİKAL CİHAZLAR İMALATI İNŞAAT SANAYİ VE TİCARET LTD. ŞTİ. |
| Data Processor | Real and legal person who processes personal data on behalf of data controller on the basis of the authority conferred by him/her. |
| Data Controller | The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically. |
| Data Recording System | Recording system in which personal data is processed and structured according to certain criteria. |
| Business Partners | Persons with whom the Company has established partnerships within the scope of contractual relations within the framework of its commercial activities. |
2 .Information on Personal Data Processing Activities
2.1. Data Subjects
Data subjects within the scope of the policy are all natural persons, other than Company employees, whose personal data are processed by the Company. In general, data subjects can be listed as follows:
| Data Subject Categories | Description |
| Customers | refer to natural persons who benefit from the products and services offered by the Company. |
| Potential Customers | refer to real persons who are interested in the products and services offered by the Company and have the potential to become customers. |
| Future Employees | refers to real persons who apply for a job by sending a CV to the Company or by other methods. |
| Visitors | refer to people who come to visit the Company for any reason. |
| Third Parties | refers natural persons, excluding the categories of data subjects mentioned above and excluding Company employees. |
The categories of data subjects described in the table above are specified for general information sharing purposes and as examples. The fact that the data subject does not fall under any of these categories shall not eliminate the quality of the data subject as specified in the Law.
2.2 Purposes of Processing of Personal Data
Pursuant to Law No. 6698, the purposes of processing personal data can be summarized as follows:
Carrying out the necessary work by the relevant units and conducting business processes in order to make the related persons benefit from the products and services offered by the Company:
Planning and execution of company human resources policies and processes:
Conducting necessary activities by respective business units and performing related business processes in order to carry out commercial activities performed by the Company;
Planning and executing the activities necessary to recommend and promote the products and services offered by the company to the relevant people, by customizing them according to their tastes, usage habits and needs:
Planning and execution of the commercial and/or business strategies of the Company:
Ensuring the legal, technical and commercial business security of the Company and data subjects who have a business relationship with the Company:
2.3 Categories of Personal Data
Personal data categorized as follows by the company are processed in accordance with the personal data processing conditions in the Law and relevant legislation:
| Data Category | Description |
| Identity information | Information contained in documents such as driver’s license, identity card, certificate of residence, passport, attorney’s ID, marriage certificate. |
| Contact information |
Information used to contact the person (e.g., e-mail address, telephone number, mobile phone number, address). |
| Location information | Information to identify the location of the data subject (e.g., location information obtained while driving). |
| Customer information | Information about customers who use our products and services (e.g., customer number, occupation information, etc.). |
| Customer transaction information | Information regarding any transaction performed by customers using our products and services. |
| Physical environment security information: |
Personal data related to records and documents such as camera recordings, fingerprint records taken at the entrance to the physical location, during the stay in the physical environment. |
| Transaction security information | Personal data processed to provide technical, administrative, legal and commercial security while carrying out the commercial activities of the Company. |
| Financial information | Personal data processed for information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Company with the personal data subject. |
| Future employee information | Personal data processed about individuals who have applied to be an employee of the Company or who have been evaluated as an employee candidate in line with human resources needs in accordance with commercial practices and honesty rules, or who have a working relationship with the Company. |
| Legal transaction and compliance information | Personal data processed within the scope of determination and follow-up of legal receivables and rights of the Company, and performance of debts, its legal obligations and compliance with company policies. |
| Audit and inspection information | Personal data processed within the scope of the Company’s obligations and compliance with company policies. |
| Sensitive Personal Data |
Information about persons’ race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to an association, foundation or syndicate, medical condition, sexual life, criminal conviction and security measures and biometric and genetic data. |
| Marketing information |
Personal data processed for the purpose of customizing and marketing the products and services offered by the Company in line with the usage habits, tastes and needs of the personal data subject, and the reports and evaluations created as a result of these processing results. |
| Request/complaint management information | Personal data regarding the receipt and evaluation of any request or complaint directed to the Company. |
| Reputation management information | Information collected for the purpose of protecting the company’s commercial reputation, evaluation reports and actions taken in this regard. |
| Incident management information | Personal data processed in order to take the necessary legal, technical and administrative measures against the developing events in order to protect the commercial rights and interests of the Company and the rights and interests of its customers. |
3. Principles and Conditions Regarding the Processing of Personal Data
3.1 The following principles must be complied with during the processing of personal data:
a) Complying with the law and rules of good faith.
b) Being accurate and up-to-date when necessary.
c) Processing for specific, clear, and legitimate purposes.
ç) Being connected, limited with and proportional to the purpose of processing.
d) Retaining them for the period of time stipulated by the relevant legislation or the period deemed necessary for the purpose of the processing
3.2. Conditions Relating to Processing Personal Data
According to the 5th article of the Law No. 6698. Personal data cannot be processed without the explicit consent of the person concerned.
In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject:
a) If it is clearly stipulated in the laws.
b) In the obligatory event to protect the life or physical integrity of the person who cannot explain his/her consent due to the actual impossibility, or whose consent is not legally valid, or of someone else.
c) Provided that it is directly related to drawing up or performing a contract, being required to process personal data of the parties of the contract.
ç) In the event that the data officer is obliged to fulfil his/her legal obligations.
d) In the event that it is publicized by the person concerned himself/herself.
e) If data processing is required for the establishment, exercise or protection of a right.
f) In the event data processing is required for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the relevant person are not damaged.
3.3 Processing of Sensitive Personal Data
Personal data relating to the persons’ race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures and the biometric and genetic data are sensitive personal data.
As a rule, sensitive personal data cannot be processed without the explicit consent of the person concerned. However, personal data other than health and sexual life may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws.
Personal data on health and sexual life can be processed by persons or authorized institutions and organizations that are under the obligation to keep secrets without seeking the explicit consent of the person concerned for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing.
In the processing of sensitive personal data, it is also necessary to take adequate measures determined by the Board, and the Company implements these measures.
4. Transfer of Personal Data
The Company can transfer the personal data and sensitive personal data of the data subject to third parties in the country or abroad by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. Accordingly, the company acts in accordance with the regulations stipulated in Article 8 of the Law No. 6698.
4.1 Transfer of personal data to third parties in the country
In the presence of at least one of the data processing conditions explained in Articles 5 and 6 of the Law No. 6698 and explained under the 3rd Heading of this Policy, provided that it complies with the basic principles regarding data processing conditions, your personal data may be transferred by the Company.
4.2 Transfer of personal data to third parties abroad
In the presence of at least one of the data processing conditions explained under the 3rd Title of this Policy and by taking the necessary security measures, the Company may transfer the personal data and sensitive personal data of the personal data subject to third parties abroad. Personal data is transferred by the company; to foreign countries declared by the PDP Board to have sufficient protection (“Foreign Country with Sufficient Protection”) or in the absence of adequate protection, to foreign countries where data controllers in Turkey and in the relevant foreign country undertake an adequate protection in writing and where the permission of the PDP Board is available (“Foreign Country Where Data Controller is Situated Who Undertakes Adequate Protection”). Accordingly, the Company acts in accordance with the regulations stipulated in article 9 of the PDP Law.
5. Data Subject’s Rights and Use of Related Rights
5.1. Rights of personal data subject
Everyone has right to apply to the Data Controller and;
a) To find out whether personal data related with him/her has been processed or not,
b) To request information if his/her personal data are processed,
c) To learn the purpose of the data processing and whether this data is used for intended purposes or not,
ç) To know the third parties to whom his personal data is transferred at home or abroad,
d) To request the rectification of personal data, if personal data is processed incomplete or inaccurate,
e) To request his/her personal data to be erased or destroyed under the conditions stipulated in the Law,
f) to request notification of the operations carried out in compliance with subparagraphs(d) and (e) to third parties to whom his personal data has been transferred,
g) To object to consequences to her/his detriment, arising from the analysis of the processed data exclusively via automatic systems,
ğ) To claim compensation in case of suffering loss due to illegal processing of the personal data,
5.2 Cases where the personal data subject cannot assert his rights:
Personal data subjects cannot claim their rights listed in 5.1 in the following cases:
Provided that personal data is not provided to the third parties and the obligations relating to data security are adhered to, processing the same by the real persons within the scope of the operations related to fully himself/herself or the family individuals living in the same housing,
Processing the personal data for the purposes of investigation, planning and statistics by anonymizing with official statistics,
Provided that the personal data does not breach the natural defence, national security, public security, public order, economic security and confidentiality of private life or personal rights and does not constitute a crime, processing the personal data within the framework of artistic, historical, literary or scientific purposes or freedom of speech,
Processing the personal data within the scope of preventive, protective and intelligence operations executed by public institutions and organizations so authorized by the law to ensure national defence, national security, public safety, public order or economic security,
Processing the personal data by judicial or enforcement authorities in relation to the investigation, proceedings, litigation or execution procedures.
Pursuant to article 28.2 of the PDP Law; personal data subjects in the cases listed below, cannot claim their other rights listed in 5.1 except for the right to demand the compensation of the damage:
Processing personal data being required for prevention of committing an illegal act or for criminal investigation,
Processing of personal data publicized by the personal data subject,
Processing personal data being required for disciplinary investigation or prosecution and conducting supervisory or regulatory duties by the authorized public institutions and organizations and professional public organizations by the power granted by the law,
Processing personal data being required for protecting economic and financial interest of the State with regard to the budgetary, tax related and financial issues.
6. Deletion, Destruction and Anonymization of Personal Data
As regulated in Article 138 of the Turkish Penal Code and Article 7 of the PDP Law, although it has been processed in accordance with the provisions of the relevant law, in the event that the reasons requiring it to be processed disappear, personal data is deleted, destroyed or anonymized upon the decision of the Company or upon the request of the personal data subject. In this context, the Company by taking the necessary technical and administrative measures within the Company to fulfil its related obligations; has developed the necessary mechanisms for this issue; trains relevant business units, provides them with their assignments and awareness in order to behave in compliance with these obligations.