FORM PLASTIC INDUSTRY AND TRADE LIMITED COMPANY

[Izmir Trade Registry, 101567]

Information Text For Processing Personal Data

As Form Plastik Sanayi ve Ticaret Limited Şirketi (the "Company"), we respect the personal data we manage while continuing our activities and attach importance to the protection of fundamental rights and freedoms, primarily the privacy of private life, in the processing of personal data. Under the Personal Data Protection Law ("KVKK") numbered 6698, we would like to inform you and get your consent, as the Data Controller, about the ways in which your personal data are collected, the purposes of processing, legal reasons, and our mutual rights and obligations.

1. Collection, Processing and Processing Purposes of Personal Data

Although your personal data varies depending on the services and activities provided by our Company;

It may be collected by our Company's responsible employees, either through automatic or non-automatic methods, in actual, bilateral meetings, or through the website or similar electronic communication means, and verbally, in writing or electronically. In addition, as long as the legal relationship between you and our Company continues, your personal data will be updated and processed and stored in print and / or electronically for the period stipulated in the relevant legislation or required for the purpose for which they are processed. All kinds of technical and managerial measures will be taken to protect your personal data, to ensure its security and to maintain compliance with storage requirements.

 

​Your personal data are processed for the following purposes:

- Fulfilling the legal requirements regarding company activities,

- Ensuring the legal and commercial security of real or legal persons who have a business and service relationship with our company,

- Carrying out company activities in accordance with the legislation, company policies and procedures,

- Providing all kinds of products and services to our customers, making the necessary evaluations for the service provided, ensuring continuity of customer satisfaction,

- Making existing and new product studies of our company and its affiliates,

- Conducting our market research and purchasing operations in order to provide better and more reliable service to our customers.

- Carrying out financial and accounting transactions,

- Contracts with business partners, suppliers and various companies, execution of contracts, fulfillment of legal, financial and commercial obligations in this context,

- Execution of legal processes

- Realization of social responsibility projects,

- Informing the authorized institutions in accordance with the relevant legislation.

2. Transfer of Personal Data

Your personal data, within the scope of the above-mentioned purposes, within the framework of the relevant legal provisions and the personal data processing conditions and purposes specified in the 8th and 9th articles of the KVKK; business partners, shareholders, affiliates, affiliated group companies, support service organizations and other contracted organizations from which they receive services as a complement or extension of their activities, consultants and organizations cooperating in accordance with the provisions of the legislation, and public institutions and organizations.

 

3. Method and Legal Reason for Collecting Personal Data

 

Your personal data is collected in all kinds of verbal, written or electronic media, in line with the purposes stated in the first part of this text, in order to provide our products and services within the determined legal framework and to fulfill our Company's responsibilities arising from the contract and the law fully and correctly. Your personal data collected for this reason can be processed and transferred in line with the purposes specified in the first two articles of this text, within the scope of the processing conditions of personal data defined in Articles 5 and 6 of the KVKK.

 

4. Rights of Personal Data Owner

As a personal data owner, in accordance with Article 11 of the KVKK, you have the following rights:

- Learning whether personal data is processed or not

- If personal data has been processed, requesting information about it

- Learning the purpose of processing personal data and whether they are used appropriately for their purpose.

- To know the third parties in the country or abroad to whom personal data has been transferred

- To request correction of personal data if it is incomplete or incorrectly processed

- To request the deletion or destruction of personal data within the framework of the conditions stipulated in the KVKK legislation and to notify the third parties to whom the personal data is transferred

- To object to the emergence of a result against the person himself by analyzing the processed data through automatic processes.

- To request the compensation of the damage in case of damage due to the unlawful processing of personal data.

You can send your request to use these rights with documents identifying you in writing to our postal, fax or registered e-mail address with secure electronic signature or in accordance with this method if a separate method is determined by the Personal Data Protection Board.

Address: İnönü Mah. 32. Sok. No: 5 Muradiye Industrial Zone Yunusemre / Manisa

Phone: (0236) 214 01 13-14-15

E-mail: info@formplastik.com.tr

 

 2. Personal Data Retention and Destruction Policy

 Introduction

This Personal Data Storage and Disposal Policy is made by Form Plastik Sanayi ve Ticaret Limited Şirketi ("hereinafter referred to as the Company") as the data supervisor for the deletion, destruction or anonymization of personal data held within the Company in accordance with the Personal Data Protection Law No.6698 and the relevant legislation. prepared in accordance with the disposal policy prepared by the Personal Data Protection Authority.

As the relevant persons, you can easily access our policies prepared by our Company for your personal data, excluding this policy, from our website.

Definitions

a. Explicit Consent: Consent that is based on information and expressed with free will regarding a specific subject.

b. Anonymization: Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data.

c. Employee: Company personnel.

d. Electronic Media: Media where personal data can be created, read, changed and written by electronic devices.

e. Non-Electronic Media: All written, printed, visual and so on. other environments.

f. Relevant Person: The real person whose personal data is processed.

g. Relevant User: Persons who process personal data within the organization of the data controller or in

accordance with the authority and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

h. Destruction: Deletion, destruction or anonymization of personal data.

I. Law: Law No.6698 on Protection of Personal Data

j. Recording Media: Any medium that contains personal data that is fully or partially automated or processed non-automatic, provided that it is part of any data recording system.

k. Personal Data: All kinds of information regarding an identified or identifiable natural person.

l. Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data fully or partially automatically or non-automatic, provided that it is part of any data recording system. or any action taken on the data, such as preventing its use.

m. Board: Personal Data Protection Board

n. Special Categories of Personal Data: Data on race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and their genetic data.

o. Periodic Destruction: The process of deletion, destruction or anonymization specified in the personal data storage and disposal policy and to be carried out ex officio at repetitive intervals in the event that all the conditions for processing personal data in the Law are eliminated.

p. Policy: Personal Data Retention and Destruction Policy

q. Data Controller: Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

r. VERBİS: Data Controllers Registry Information System

s. Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

Recording Media Of Personal Data

Your personal data are stored in electrical and non-electronic environments in accordance with the law and legislation, as stated below.

 Electronic Media

  • Servers (Domain, backup, e-mail, database, web, file sharing, etc.)

  • Software (office software, portal, VERBİS)

  • Information security devices (firewall, intrusion detection and blocking, log file, anti virus, etc.)

  • Personal computers (desktop, laptop)

  • Mobile devices (phone, tablet, etc.)

  • Optical discs (CD, DVD, etc.)

  • Removable sticks (USB, Memory Card etc.)

  • Printer, scanner, copier

  • Non-Electronic Environments

  • Paper

  • Manual data recording systems (survey forms, visitor entry books, etc.)

  • Written, printed and visual media

Storage of Personal Data  

 

In accordance with the provision that personal data in Article 4 of the Law is related, limited and measured for the purpose for which they are processed, and that they are kept for a period of time stipulated in the relevant legislation or for the purpose for which they are processed, your personal data is stored within our Company for a period of time in accordance with our processing purposes stipulated in this legislation.

 

a)     Storage Basis:

 

Your personal data are within our company: (i) Personal Data Protection Law No. 6698, (ii) Turkish Code of Obligations No. 6098, (iii) Occupational Health and Safety Law No. 6331, (iv) Labor Law No. 4857, (v) Turkish Commercial Code No. 6102. , (vi) Social Insurance and General Health Insurance Law No. 5510, (vii) Tax Procedure Law No. 213 for the periods stipulated within the scope of other secondary regulations in force pursuant to these laws.

b)     Storage Purposes:

Your personal data is stored in our Company for the following purposes in accordance with the periods in the law:

• To carry out human resources processes

• To provide internal communication

• Ensuring company security

• To be able to do statistical studies

• To be able to perform work and transactions as a result of contracts and protocols signed.

• To be able to process on VERBIS

• To ensure the fulfillment of legal obligations as required or required by legal regulations.

• To provide contact with real / legal persons who have business relations with the company

• Making legal reports

• To fulfill the obligation of proof as evidence in legal disputes that may arise in the future

Disposal of Personal Data

Your personal data will be deleted, destroyed or anonymized at the request of the relevant

person or ex officio in the following cases, as will be explained in the following sections of this policy:

• Amendment or abolition of the relevant legislation provisions that form the basis of processing

• The disappearance of the purpose requiring processing or storage

• The person concerned withdraws his explicit consent

• In accordance with Article 11 of the Law, the application for the deletion and destruction of the personal data within the framework of the rights of the relevant person is accepted by the Institute

• The maximum period that requires the storage of personal data has passed and there are no conditions to justify the storage of personal data for a longer period of time

Technical and Administrative Measures for the Protection of Personal Data

Our company takes the following technical measures regarding the environments where your personal data are stored:

• In environments where personal data are kept, only up-to-date and secure systems in line with technological developments are used.

• Security systems are used for the environments where personal data are kept.

• Security tests and researches are carried out to detect security vulnerabilities on information systems, and any existing or potentially risky issues identified as a result of the tests and researches are eliminated.

• By restricting access to data to environments where personal data are kept, only authorized persons are allowed to access these data, limited to the purpose of storing personal data, and all access is recorded.

• Our company employs sufficient technical personnel to ensure the security of the environments where personal data are kept.

• Anti-virus software for digital data protection; firewall, access restriction methods to control inappropriate access; strong passwords, secure logging systems; backup programs are used.

Our company takes the following administrative measures regarding the environments where your personal data are stored:

• Efforts are made to raise awareness and raise awareness of all Company employees who have access to personal data on information security, personal data and privacy.

• Legal and technical consultancy services are obtained in order to follow developments in the fields of information security, privacy of private life and protection of personal data and to take necessary actions.

• In case personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties in order to protect the personal data, and all necessary care is taken to ensure that the relevant third parties comply with their obligations in these protocols.

• Employees are periodically provided with data and information security trainings in accordance with the Personal Data Protection Law and the relevant legislation; Confidentiality commitment is signed in accordance with the duty and position. Legal action (warning / termination, etc.) is carried out within the scope of the legislation against personnel who act in violation of security procedures and personal data protection policy. Job descriptions are created for the employees and their authority and access limits are drawn.

Disposal Techniques Of Personal Data

Personal data are destroyed by our company, either ex officio or upon the request of the relevant person at the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, using the following techniques in accordance with the provisions of the relevant legislation:

 

a) Deletion Methods

 

Revocation of Access Authority: The system administrator removes the access authorization of the relevant users and deletes them from the personal data on the servers. Likewise, those whose time periods that require storage of personal data in electronic media have expired are made inaccessible and unavailable in any way for other employees (relevant users), except for the database manager.

Blackout: It is made inaccessible and unavailable in any way for other employees, except for the department manager responsible for document archiving, for those whose time period that requires storage of personal data kept in a physical environment has expired. In addition, the blackening process is also applied by scratching / painting / wiping it in an illegible way.

 

Encryption: Among the personal data kept in Flash-based storage media, the expired ones that require storage are encrypted by the system administrator and the access authority is given only to the system administrator and stored in secure environments with encryption keys.

 

b) Methods of Destruction

Physical Destruction: The personal data in the paper environment, which have expired, are irreversibly destroyed in paper trimming machines.

Magnetic Destruction: Physical destruction, such as melting, burning or pulverizing the expired personal data in optical media and magnetic media, is applied. In addition, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.

 

c) Anonymization

 

In order for personal data to be anonymized; Personal data must be rendered unrelated to an identified or identifiable natural person, even through the use of appropriate techniques in terms of the recording medium and the relevant field of activity, such as the return of personal data by the data controller or third parties and / or matching the data with other data.

Storage and Destruction Period Of Personal Data

Personal data will be stored for the periods specified in the table below, within the scope of the relevant legislation and the principles specified in this policy, and will be anonymized or destroyed at the end of the period:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Personal Data Protection Policy

 

 Introduction

Law No. 6698 on the Protection of Personal Data, published in the Official Gazette dated 07.04.2016, regulates the protection of the fundamental rights and freedoms of individuals, especially the privacy of private life, the obligations of the data controllers who collect and process the data, and the procedures and principles to which they are bound. "Form Plastik Sanayi ve Ticaret Limited Şirketi" Policy on Protection of Personal Data was created in order to implement the Law and the implementation regulations of the Personal Data Board decisions and to explain the duties and responsibilities of the public and the Company employees.

 

1.     Purpose and Scope

 

Forms Plastik Sanayi ve Ticaret Limited Şirketi, Personal Data Protection Policy has been arranged to be implemented in terms of the Company, managers, employees and all persons who have a relationship with the COMPANY.

This Policy determines the rules and principles in order to ensure the privacy and inviolability rights of all real persons who have contact with the COMPANY and the rights to protect the personal data protected by the Law. Any violation of the policy means that the COMPANY is in violation of the Law due to being a registered Data Controller; Therefore, any breach of Form Plastik Sanayi ve Ticaret Limited Company's Personal Data Protection Policy by employees will be considered as a disciplinary violation.

2.    Definitions

 

Within the scope of this POLICY and all documents and activities within the scope of

Personal Data Protection Law;

a. Explicit consent: Consent on a specific subject, based on information and declared with free will,

b. Anonymization: Making personal data unrelated to a certain or identifiable natural person under any circumstances, even by matching with other data,

c. Related person: The real person whose personal data is processed,

d. Personal data: All kinds of information regarding an identified or identifiable natural person,

e. Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosure, transferring, taking over, making available, by means of non-automatic means, provided that personal data are fully or partially automated or are part of any data recording system, All kinds of operations performed on data such as classification or prevention of use,

f. Board: The Personal Data Protection Board,

g. Data processor: Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,

h. Data controller: Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system, expresses.

 

3.     General Principles

 

Personal data will only be processed in accordance with the procedures and principles stipulated by the Law. The basic principles in the processing of personal data are in compliance with the law and the rules of honesty; being accurate and up-to-date when necessary; processing for specific, explicit and legitimate purposes; being connected, limited and proportionate to the purpose for which they are processed; They should be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

4.     Collection and Processing Of Personal Data

 

The COMPANY, establishing a business relationship with the personnel it employs, preparing the personnel and health files of the personnel, executing the employment contracts, ensuring the safety of the workplace and customer, Buying, selling, selling, purchasing service, logistics and the like with the companies with which the company has a commercial relationship or has a commercial relationship. concluding contracts, execution of contracts, fulfillment of legal, financial and commercial obligations within this scope, conducting commercial risk analysis, procurement operations as well as legal and administrative operations, and especially the Labor Law No. 4857, Occupational Health and Safety Law No. 6331 and Social Security Law No. 5510. For the purposes of fulfilling the legal obligations stipulated in the provisions of the legal legislation to which the COMPANY is subject, including the Insurance and General Health Insurance Law, 6102 Turkish Commercial Code and Tax Legislation, it collects the personal data detailed below and also in the PERSONAL DATA INVENTORS.

 

Within the scope of the purposes stated above and also in the COMPANY PERSONAL DATA INVENTORY, all kinds of private and general data, which are required to be included in the workplace personal file within the scope of the Labor Law No. 4857 and the relevant legal legislation, are collected and processed digitally and physically by our COMPANY.

 

Within the scope of the contracts that the COMPANY has entered into or will enter into a commercial relationship with or will conclude with the companies with which it has commercial relations, the addressee real person merchants collect and process the data regarding the identity and contact information of the legal person merchant representatives and the payment and invoicing instruments in order to execute the relevant contracts.

Among the physical and digital files containing personal data, those whose legal retention period foreseen in the Labor Law No. 4857, Occupational Health and Safety Law No. 6331, Tax Procedure Law No. 213 and Turkish Commercial Code No. 6102 and the relevant legislation expires are destroyed in the manner specified in the COMPANY PERSONAL DATA INVENTORY. and relevant departments are instructed in this direction.

 

 

The reasons, processes, procedures and all other technical details of the COMPANY for processing personal data are specified in the COMPANY PERSONAL DATA INVENTORY.

 

5.     Express Consent In the Processing Of Personal Data

 

Personal data cannot be processed without the express consent of the data subject. Explicit consent must be in written or demonstrable form and must be obtained after the person concerned is informed about the collection, use, transfer and disposal issues. However, the COMPANY will be able to process personal data without express consent in the following cases:

 

a. It is clearly stipulated in the laws.

 

b. It is compulsory for the protection of the life or physical integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid.

 

c. Provided that it is directly related to the establishment or performance of a contract, it is necessary to process personal data belonging to the parties to the contract.

d. It is mandatory for the data controller to fulfill his legal obligation.

e. It is made public by the person concerned.

 

f. Data processing is mandatory for the establishment, use or protection of a right.

 

g. It is mandatory to process data for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

6.     Obligations Of Data Controller

 

During the acquisition of personal data, as the data controller, the COMPANY or its authorized person, the relevant persons;

 

a. Identity of the data controller and its representative, if any,

b. For what purpose personal data will be processed,

c. To whom and for what purpose the processed personal data can be transferred,

d. The method and legal reason for collecting personal data, is obliged to give information about.

 

 

As the data controller, COMPANY;

 

e. To prevent unlawful processing of personal data,

f. To prevent unlawful access to personal data,

g. In order to ensure the protection of personal data, it has to take all necessary technical and administrative measures to ensure the appropriate level of security.

7.     Rights Of The Personal Data Owner

 

Personal data owner, by contacting the data controller, regarding himself / herself;

 

a. Learning whether personal data is processed,

b. If their personal data has been processed, to request information regarding this,

c. Learning the purpose of processing personal data and whether they are used appropriately for their purpose,

d. To know the third parties to whom personal data are transferred domestically or abroad,

e. To request correction of personal data in case of incomplete or incorrect processing,

f. Request deletion or destruction of personal data if there is a special quality personal data,

g. Request notification of the transactions made to third parties to whom personal data have been transferred,

h. To object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,

I. In case of damage due to unlawful processing of personal data, requesting the compensation of the damage has the rights.

8.     Transfer Of Personal Data

Personal data can be transferred without the consent of the person concerned in the presence of one of the conditions specified in Article 5 above.

 

Personal data cannot be transferred abroad without the express consent of the person concerned. However, the transfer of personal data abroad without the express consent of the data subject is the existence of one of the conditions specified in Article 5 above, and

 

a. Adequate protection in a foreign country.

b. In the absence of adequate protection, permission to commit in writing to the Board and responsible for the data in the relevant foreign country and Turkey.

c. Countries with sufficient protection are determined and announced by the Board.

d. Personal data, without prejudice to the provisions of international conventions, Turkey or in the interests of the person concerned will suffer a serious condition, but considering the views of relevant public institutions or organizations transferred abroad with the permission of the Board.

e. The provisions of other laws regarding the transfer of personal data abroad are reserved.

9.     Measures Taken For the Protection Of Personal Data  

 

Personal data will be stored in existing and secure physical or electronic environments within the COMPANY. Only data processors authorized by the COMPANY for this purpose will be allowed to access the data.

 

In this context;

 

a. The Company Information Department will ensure that the system, virus protection and firewall software are up-to-date and uninterrupted in terms of protecting personal data.

b. The Company Administrative Affairs Unit will store the physical files in lockers and safe.

c. Company employees shall ensure the destruction of personal data whose intended use and expiration date has expired in accordance with the training given to them on the Law and the instructions given by the Company administration.

10.     Principles On the Destruction Of Personal Data

 

a. All kinds of destruction procedures can be applied in the destruction of personal data; In the process of destroying all kinds of data in digital form, the method of permanent deletion of files as well as unreadable corruption of the data in the digital environment can be used.

 

b. If the necessary reason for the processing of personal data is terminated and there is no consent for storage, it should be destroyed or anonymized.

 

c. Despite the existence of prior express consent, personal data must be destroyed or anonymized at the request of the person concerned.

 

d. Destruction should be such that the data is made inaccessible and irreversible.

 

e. The data controller is obliged to carry out the necessary audits or have them done in his institution or organization in order to ensure the implementation of the provisions of this Law.

 

f. Data controllers and data processors cannot disclose the personal data they have learned to anyone in violation of the provisions of this Law and cannot use them for purposes other than processing. This obligation continues after leaving the job.

 

g. In case the processed personal data is obtained by others illegally, the data controller shall notify the relevant person and the Board of this situation as soon as possible. The Board, if necessary, may announce this situation on its website or by any other method it deems appropriate.

11.     Destruction Periods

 

Personal data will be stored for the periods specified in the table below, within the scope of the RELEVANT Legislation and the principles specified in this Policy, and will be anonymized or destroyed at the end of the period: