POLICY ON THE PROTECTION AND RETENTION OF SENSITIVE PERSONAL DATA

According to the 6698 numbered Law on Protection of Personal Data (“PDPL”), your sensitive personal data may be processed by BTM Bitumlu Tecrit Malzemeleri Sanayi ve Ticaret Anonim Şirketi (“Company”) as the data controller within the scope described below

1. INTRODUCTION

The special categories of personal data are data that, if learned, may cause discrimination or victimization about the person concerned. For this reason, in the PDPL, sensitive personal data is given special importance compared to other personal data and it is stated that sensitive personal data should be protected much more strictly. This Policy has been prepared for the procedures and information within the data controller regarding the protection of sensitive personal data.

Within the scope of the policy, our Company's employee (“Employee”), the natural person whose personal data is processed (“Data Owner”), will be referred to as the Protection and Storage of Sensitive Personal Data Policy (“Policy”), Personal Data Protection Board (“Board”)

2. SCOPE AND DEFINITIONS

In Article 6 of the DPL, certain personal data that carry the risk of causing victimization or discrimination when processed unlawfully are defined as "sensitive personal data". The sensitive ersonal data include data on race, ethnic origin, political thought, belief, religion, sect or other beliefs, disguise and dress, membership to associations/foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Data Controller: It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Within the scope of this Policy, the data controller has been accepted as BTM Bitumlu Tecrit Malzemeleri Sanayi ve Ticaret Anonim Şirketi.

Sensitive Personal Data: Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. In accordance with the regulation made in Article 6 of the PDPL, these data are considered as sensitive personal data or sensitive data.

Explicit Consent: Consent about a specific subject, based on information and expressed with free will.

Relevant Person: The natural person whose personal data is processed.

Processing of Personal Data: Obtaining, recording, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system or any kind of operation performed on the data, such as preventing its use.

Health Data: It is a data group related to the health status of the person (Health report, blood type, disability information).

3. PROCESSING OF THE SENSITIVE PERSONAL DATA AND PROCESSING PURPOSES

The sensitive personal data can be processed with the explicit consent of the data owner in accordance with Article 6 of the PDPL. However, in the cases listed in the PDPL, the processing of sensitive personal data is also possible without the explicit consent of the person concerned. In this context; 

The sensitive personal data outside of health and sexual life will be processed in line with the purposes stated in the title of “Your Personal Data Processed and the Purposes of Processing” and the provision of express consent within the scope of paragraph 2 of article 6 of the PDPL or stipulated in the laws in accordance with paragraph 3 of article 6.

Your sensitive personal data regarding your health information will be processed in line with the purposes set out in the title of “Your Personal Data Processed and the Purposes of Processing”, providing explicit consent within the scope of paragraph 2 of article 6 of the PDPL or authorized persons who are only under the obligation of keeping secrets in accordance with paragraph 3 of article 6 or by authorized institutions and organizations on the condition of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

4. YOUR PROCESSED PERSONAL DATA AND PROCESSING PURPOSES

Your sensitive personal data collected within our company may be processed for the purposes listed below.

The sensitive personal data are processed in line with the above-mentioned purposes. These personal data are collected only from relevant persons in compliance with the purpose and necessity of collecting that personal data. In the Personal Data Processing Inventory of our Company, the persons concerned on the basis of personal data regarding all personal data within the scope of the activities carried out in connection with the processes are recorded in the Data Controllers Registry on the basis of data categories. Within this scope, the following personal data are processed.

5. RETENTION OF THE SENSITIVE PERSONAL DATA

Our company keeps personal data for the period specified in these legislations, if it is stipulated in the relevant laws and regulations.

If a period of time is not regulated in the legislation regarding how long the personal data should be kept, the personal data is stored for the period that requires it to be kept in accordance with the practices of our Company, depending on the activity carried out by our Company while processing that data, then the personal data of the person concerned is stored by our Company. They are deleted, destroyed or anonymized in accordance with the "Personal Data Retention and Destruction Policy".

6. ACCESS TO THE SENSITIVE PERSONAL DATA

The sensitive personal data, excluding health information, are processed within our company in accordance with Article 6 of the PDPL, "in cases stipulated by the law" or in cases where the explicit consent of the data owner is obtained. Within this scope, the access to personal data other than health data is limited only to relevant departments within the scope of the Employee authorization matrix.

Personal data containing health information, except for the explicit consent of the related person, is only used for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, Occupational Health. It is collected by the physician of the institution within the body of the Health and Safety Unit. The health data is kept only in environments where access is limited by authorized persons.

Access to the sensitive personal data has been determined by our Company with this Policy, and necessary information and notifications have been made to the Employees within our Company. The employees of our Company act in accordance with these conditions due to the periodic trainings organized to raise awareness of PDPL.

7. MEASURES REGARDING THE PROCESSING OF SENSITIVE PERSONAL DATA 

Our Company, in the capacity of data controller, takes the following measures, in accordance with the Board's decision dated 31.01.2018 and numbered 2018/10, in the processing of the sensitive personal data included in Article 6 of the PDPL. This Policy has been determined in a systematic, clear, manageable and sustainable manner for the security of sensitive personal data.

7.1. For Employees Involved in the Processing of Sensitive Personal Data 

• Regular trainings are provided on the PDPL and related regulations and on the sensitive personal data security.

• Confidentiality agreements are made.

• Authorization scopes and authorization periods of users who are authorized to access data are clearly defined.

• Periodic authorization checks are carried out.

• Employees who have a change in duty or quit their job are immediately removed from their authority in this field. In this context, the inventory allocated to them by the Data Controller is returned.

7.2. If Electronic Media is the Environment where Sensitive Personal Data is Processed, Stored and/or Accessed;

• Personal data is preserved using cryptographic methods.

• Cryptographic keys are kept in secure and different environments. 

• Transaction records of all movements performed on personal data are securely logged. 

• Security updates of the environments where personal data are stored are constantly monitored, necessary security tests are regularly/are made and test results are recorded. 

• If personal data is accessed through a software, user authorizations for this software are made, security tests of these software are/are made regularly and the test results are recorded.

• At least two-stage authentication system is provided if remote access to personal data is required.

7.3.  If the Physical Environment is the Environment where Sensitive Personal Data is Processed, Stored and/or Accessed;

• Adequate security measures (against electricity leakage, fire, flood, theft, etc.)

• Unauthorized entrances and exits are prevented by ensuring the physical security of these environments.

7.4. If the sensitive personal data will be transferred;

• If personal data needs to be transferred via e-mail, it is transferred in encrypted form with a corporate e-mail address or by Registered Electronic Mail (KEP).

• If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment. 

• If transferring is carried out between servers in different physical environments, data transfer is carried out by establishing a VPN between servers or using the SFTP method.

• If personal data needs to be transferred via paper media, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a "Confidential" format.

8. TRANSFER OF SENSITIVE PERSONAL DATA 

Our company can transfer the sensitive personal data it has obtained in accordance with the law to third parties by taking the necessary security measures in line with the data processing purposes. Accordingly, our Company will be able to transfer sensitive personal data to third parties in the presence of one of the processing conditions specified in the above section and the conditions stated below:

• If there is the explicit consent of the Data Owner, 

• If there is a clear regulation in the law regarding the transfer of sensitive personal data, 

• If it is necessary for the protection of the life or physical integrity of the Data Owner or someone else,

• If the Data Owner is unable to express his/her consent due to actual impossibility or if his consent is not legally valid,

• If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

• If personal data transfer is necessary for our company to fulfil its legal obligation,

• If the sensitive personal data has been made public by the Data Owner,

• If the transfer of sensitive personal data is necessary for the establishment, exercise or protection of a right,

• Provided that it does not harm the fundamental rights and freedoms of the Data Owner, personal data can be transferred if it is necessary for the legitimate interests of our Company.

9. TRANSFER OF SENSITIVE PERSONAL DATA ABROAD

Our company is able to transfer the sensitive personal data to foreign countries by showing due diligence, taking the necessary security measures and taking the adequate measures prescribed by the Board, in line with the legitimate and lawful personal data processing purposes, where there is a data controller who has adequate protection or is committed to adequate protection of the sensitive personal data of the Data Owner in the following cases:

• If the Data Owner has express consent, or 

• If there is no explicit consent of the Data Owner;

The sensitive personal data of the Data Owner other than his/her health and sexual life (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, association, foundation or union membership, criminal conviction and security measures data and biometric and genetic data) in cases stipulated by laws,

The sensitive personal data of the Data Owner regarding his/her health and sexual life may only be transferred for the purposes of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, they may be transferred within the scope of processing by persons or authorized institutions and organizations under the obligation to keep secrets. 

10. RIGHTS OF RELATED PERSONS AND THE USE OF THESE RIGHTS

The persons whose personal data are processed have the following rights:

1. Learning whether personal data is processed or not,
2. If personal data has been processed, requesting information about it,
3. Learning the purpose of processing personal data and whether they are used in accordance with the purpose,
4. Knowing the third parties to whom personal data is transferred at home or abroad,
5. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
6. Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist, although it has been processed in accordance with the provisions of the PDPL and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
7. Objecting to this result if a result against the person arises by analyzing the processed data exclusively through automated systems,
8. Requesting the compensation of the damage in case of loss due to the processing of personal data in violation of the PDPL.

10.1. Circumstances in which the Person whose Personal Data is Processed cannot assert her/his rights

The persons whose personal data are processed, cannot claim their rights listed in 11.1, though the following cases are excluded from the scope of the PDPL in accordance with 28. Article of the PDPL:

1. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
2. Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime,
3. Processing personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,
4. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

According to the paragraph 2 of article 28 of the PDPL, the data subject whose personal data are processed, cannot claim their other rights listed in the 11.1. Article of the PDPL, except for the right to demand the compensation of the damage:

1. Personal data processing is necessary for the prevention of crime or for criminal investigation,
2. Processing of personal data made public by the person whose personal data is processed,
3. Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by PDPL,
4. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

10.2. Using the Personal Rights of the Related Person

The persons whose personal data are processed will be able to submit their requests regarding their rights specified in this Policy to our Company free of charge, with the information and documents that will identify them, and by filling out and signing the application form, using the methods specified below or other methods determined by PDPL. The regulations in this regard have been made in the Personal Data Application and Response Procedure of BTM Bitümlü Tecrit Malzemeleri Sanayi ve Ticaret Anonim Şirketi and in the clarification texts.

The related person may execise his/her rights as follows:

• After completing the form at the address of “Kemalpaşa OSB Mahallesi Gazi Bulvar No: 152 Kemalpaşa/Izmir”, a copy with wet signature must be sent in person or in writing via registered mail to the address of “Kemalpaşa OSB Mahallesi Gazi Bulvar No: 152 Kemalpaşa/İzmir” or brought in person.
• After completing the form and signing with the “secure electronic signature” within the scope of Electronic Signature Law No. 5070, sending the secure electronic signature form to btm@hs03.kep.tr by registered e-mail, secure electronic signature, mobile signature or the person concerned, to our Company. Making an application to KVKK@btm.co by using the e-mail address previously reported and registered in our Company's system or by means of a software or application developed for application purposes.

In accordance with the Communiqué on Application Procedures to the Data Controller the related person has to give the following information so Though the above-mentioned application is accepted as a valid application;

1. Name, surname and signature if the application is written,
2. For citizens of the Republic of Turkey, T.R. identification number, nationality for foreigners, passport number or identification number, if any,
3. Domicile or workplace address for notification,
4. If available, the e-mail address, telephone and fax number for notification,
5. Subject of the request

Otherwise, the application will not be considered as a valid application. In the applications to be made without filling out the application form, the issues listed here must be conveyed to our Company in full.

A special power of attorney must be issued by the relevant person through a notary public on behalf of the applicant in order for third parties to request an application on behalf of the persons whose personal data are processed.

IDENTITY OF DATA CONTROLLER

Central registration no.:               0187002570500016
Internet Address:                           www.btm.co

Phone:                                              (0232) 877 04 02 - 09
E-Mail:                                              KVKK@btm.co

KEP Address:                                   btm@hs03.kep.tr
Address:                                           Kemalpaşa OSB Mahallesi Gazi Bulvar No: 152 Kemalpaşa/Izmir

This Policy has been announced at www.btm.co . Within this scope, the right to make changes in the Policy is reserved in accordance with legislative changes and our Company's policies. The current version of the Policy, together with the changes made, is announced at www.btm.co.