Policy on Protection and Retention of Sensitive Personal Data

Pursuant to Law No. 6698 on the Protection of Personal Data (“KVKK”), your sensitive personal data may be processed by Oran Polyester Keçe Dış Ticaret Sanayi ve Ticaret Anonim Şirketi (“Company”) as the data controller within the scope described below.

1. INTRODUCTION

Sensitive personal data are data that, if learned, may cause discrimination or victimization of the data subject. For this reason, special categories of personal data are given special importance in KVKK compared to other personal data and it is stated that special categories of personal data should be protected much more strictly. This Policy has been prepared for the procedures and information within the data controller regarding the protection of special categories of personal data.

Within the scope of the Policy, the employee of our Company (“Employee”), the real person whose personal data is processed (“Data Owner”), the Policy on the Protection and Storage of Sensitive Personal Data (“Policy”) will be referred to as the Personal Data Protection Board (“Board”).

2. SCOPE AND DEFINITIONS

Article 6 of the LPPD article, certain personal data which, when processed unlawfully, carries the risk of causing victimization or discrimination of persons, are defined as “personal data of special nature”. Special categories of personal data include data relating to race, ethnic origin, political opinions, beliefs, religion, sect or other beliefs, appearance and dress, membership of associations/foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Within the scope of this Policy, the data controller is accepted as Oran Polyester Keçe Dış Ticaret Sanayi ve Ticaret Anonim Şirketi.

Sensitive Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. Article 6 of the LPPD article, these data are considered as special categories of personal data or sensitive data.

Explicit Consent: Consent on a specific subject, based on information and expressed with free will.

Relevant Person: The natural person whose personal data is processed.

Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Health Data: It is a group of data related to the health status of the person. (e.g. health report, blood type, disability information, etc.)

3. PROCESSING OF PERSONAL DATA OF SPECIAL NATURE AND PURPOSES OF PROCESSING

Special categories of personal data are defined in Article 6 of the LPPD. article of the Law on the Protection of Personal Data, it may be processed with the explicit consent of the person concerned. However, in the cases listed in the KVKK, the processing of sensitive personal data is also possible without the explicit consent of the data subject. In this context;

Special categories of personal data other than health and sexual life are processed in line with the purposes stated under the heading “Your Personal Data Processed and Purposes of Processing” and in accordance with Article 6 of the LPPD. Article 2. the requirement of explicit consent within the scope of paragraph 6. Item 3. shall be processed in the cases stipulated in the laws pursuant to the paragraph. 

Your personal data of special nature regarding your health information is processed in accordance with the purposes set out in the heading “Your Personal Data Processed and Purposes of Processing” in accordance with Article 6 of the LPPD. Article 2. the requirement of explicit consent within the scope of paragraph 6. Item 3. Pursuant to the subparagraph (1) of this paragraph, only authorized persons or authorized institutions and organizations under the obligation of confidentiality will be processed on the condition of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

4. YOUR PROCESSED PERSONAL DATA AND PURPOSES OF PROCESSING

Your sensitive personal data collected within our Company may be processed for the following purposes.

Fulfillment of employment contractual and regulatory obligations for employees.	Execution of processes related to benefits and benefits for employees.
Conducting audit activities.	Execution of activities in accordance with the legislation.
Follow-up and execution of legal affairs.	Execution and supervision of business activities.
Fulfillment of legal obligations.	Carrying out storage and archive activities.
Execution of contract processes.	Providing information to authorized persons, institutions and organizations.
Providing the necessary information in line with the requests and audits of regulatory and supervisory institutions and official authorities.	Maintaining information on data that must be kept in accordance with the relevant legislation.
Creating a personnel file for employees, determining whether they are capable of fulfilling the requirements of the job on a permanent basis, creating a health file, taking occupational safety measures.	Carrying out occupational health and safety activities in accordance with the Occupational Health and Safety Law, the Regulation on the Duties, Authorities, Responsibilities and Training of Workplace Physicians and Other Health Personnel and related legislation, and monitoring the fitness of employees for duty.

Special categories of personal data are processed for the purposes stated above. This personal data is collected only from the relevant persons in accordance with the purpose and necessity of collecting that personal data. The data subjects on the basis of personal data related to all personal data within the scope of the activities carried out depending on the processes are specified in our Company’s Personal Data Processing Inventory, and the data subjects on the basis of data categories are specified in the registration to the Data Controllers Registry. In this context, the following personal data are processed:

PERSONAL DATA CATEGORIZATION	PERSONAL DATA CATEGORIZATION DESCRIPTION
Health Data	A group of data on a person’s health status.
Criminal Convictions and Security Measures Data	It is a set of data on sanctions the person has received in the past.

5. STORAGE OF SPECIAL CATEGORIES OF PERSONAL DATA

If stipulated in the relevant laws and regulations, our Company retains personal data for the period specified in these regulations.

If a period of time is not regulated in the legislation regarding how long personal data should be kept, personal data is kept for the period required to be kept in accordance with our Company’s practices, depending on the activity carried out by our Company while processing that data, and then the personal data of the person concerned is deleted, destroyed or anonymized in accordance with the “Personal Data Retention and Destruction Policy” established by our Company.

PROCESS	STORAGE TIME
Creation of employee personal health files	It is kept for 15 years after the termination of the employment contract.
Creation of employee personal health files (Work accident reports)	Correspondence related to occupational accidents is kept for 45 years after the termination of the employment contract as required.
Evaluation of job application processes of employee candidates	It is kept for 6 months from the date of application.
Obtaining criminal records of employees	It is kept for the duration of the employment contract.

6. ACCESS TO SPECIAL CATEGORIES OF PERSONAL DATA

Within our Company  , personal data of special nature, other than health information, are subject to Article 6 of the LPPD.  is processed “in cases stipulated by law” or in cases where the explicit consent of the person concerned is obtained. In this context, access to personal data other than health data is limited only by the relevant departments within the scope of the authorization matrix for Employees.

Personal data containing health information is collected by the corporate physician within the Occupational Health and Safety Unit, who is under the obligation of confidentiality, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, except for the explicit consent of the person concerned within our Company . Health data is kept only in environments where access is limited to specified authorized persons.

Access to sensitive personal data has been determined by our Company with this Policy and the necessary information and notifications have been made to the Employees within our Company. Thanks to the periodic trainings organized to ensure awareness of KVKK, our Company’s Employees act in accordance with these conditions.

7. MEASURES REGARDING THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Our Company is subject to Article 6 of the LPPD. In accordance with the Board’s decision dated 31.01.2018 and numbered 2018/10, it takes the following measures as data controller in the processing of special categories of personal data. This Policy has been determined for the security of sensitive personal data in a systematic, clear, manageable and sustainable manner.

7.1. For Employees Involved in the Processing of Sensitive Personal Data

• Regular trainings are provided on KVKK and related regulations and special categories of personal data security.

• Confidentiality agreements are in place.

• The scope and duration of authorization of users authorized to access data are clearly defined.

• Periodic authorization checks are carried out.
• Employees who change their position or leave their job are immediately dismissed from this area. In this context, the inventory allocated to them by the data controller is returned.

7.2. If the Media in which Sensitive Personal Data are Processed, Stored and / or Accessed are Electronic                    Media;

• Personal data is stored using cryptographic methods.

• Cryptographic keys are kept in secure and discrete environments.

• Transaction records of all actions performed on personal data are securely logged.

• Security updates for the environments where personal data are stored are continuously monitored, necessary security tests are regularly performed/conducted and test results are recorded.

• If personal data is accessed through a software, user authorizations for this software are made, security tests of this software are regularly performed/conducted and test results are recorded.

• If remote access to personal data is required, at least a two-factor authentication system is provided.

7.3.  If the Media Where Sensitive Personal Data are Processed, Stored and / or Accessed are Physical                    Media;

• Adequate security measures (against electric leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where sensitive personal data is located.

• Unauthorized entry and exit are prevented by ensuring the physical security of these environments.

7.4. If Sensitive Personal Data will be Transferred;

• If it is necessary to transfer personal data via e-mail, it is transferred by encrypted corporate e-mail address or Registered Electronic Mail (KEP).

• If it needs to be transferred via media such as portable memory, CD, DVD, it is encrypted with cryptographic methods and the cryptographic key is kept on different media.

• If transferring between servers in different physical environments, data transfer is performed by establishing a VPN between the servers or by SFTP method.
• If it is necessary to transfer personal data via paper media, necessary precautions are taken against risks such as theft, loss or unauthorized viewing of the document and the document is sent in “Confidential” format.

8. TRANSFER OF PERSONAL DATA OF SPECIAL NATURE

Our Company may transfer special categories of personal data obtained in accordance with the law to third parties by taking the necessary security measures in line with the purposes of data processing. Accordingly, our Company may transfer special categories of personal data to third parties in the presence of one of the processing conditions specified in the section above and the following conditions:

• If the Data Owner has explicit consent or

• If the Data Subject does not have explicit consent;

Sensitive personal data other than the health and sexual life of the Data Owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures, and biometric and genetic data) in cases stipulated by law,

Personal data of special nature relating to the health and sexual life of the Data Owner may be transferred only for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, within the scope of processing by persons or authorized institutions and organizations under the obligation of confidentiality.

9. RIGHTS OF DATA SUBJECTS WHOSE PERSONAL DATA IS PROCESSED AND EXERCISE OF THESE RIGHTS

 

Data subjects whose personal data are processed have the following rights:

1. Learn whether personal data is being processed,

1. Request information if their personal data has been processed,

1. To learn the purpose of processing personal data and whether they are used for their intended purpose,

1. To know the third parties to whom personal data are transferred domestically or abroad,

1. To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

1. Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,

1. In the event that the processed data is analyzed exclusively through automated systems and a result occurs to the detriment of the person himself/herself, to object to this result,

1. In case of damage due to the processing of personal data in violation of the KVKK, to demand the compensation of the damage.

9.1. Cases where the Data Subject whose Personal Data is Processed cannot assert his/her rights

Data subjects whose personal data are processed are subject to Article 28 of the LPPD. Pursuant to Article 11 of the LPPD, the following cases are excluded from the scope of the LPPD. item 1. cannot assert their rights listed in the paragraph:

1. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,

1. Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime,

1. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,

1. Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions.

Article 28 of the LPPD Item 2. Pursuant to the paragraph  ; In the cases listed below, the persons whose personal data are processed, except for the right to demand the compensation of the damage, are subject to Article 11 of the KVKK. item 1. cannot assert their other rights listed in the paragraph:

1. Processing of personal data is necessary for the prevention of crime or criminal investigation,

1. Processing of personal data made public by the person whose personal data is processed,

1. Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by the KVKK,

1. Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.

9.2. Exercise of the Relevant Person’s Rights

Persons whose personal data are processed may submit their requests regarding their rights specified in this Policy to our Company free of charge by filling out and signing the application form with the information and documents that will identify their identity and by the methods specified below or by other methods determined by the KVKK. Regulations in this regard are made in Oran Polyester Keçe Dış Ticaret Sanayi ve Ticaret Anonim Şirketi Personal Data Application Form and Clarification Texts.

Contact person

• “Kemalpaşa Organized Industrial Zone İzmir Kemalpaşa Asfaltı No:44 Kemalpaşa / İzmir” after filling in the form available at the address “Ke malpaşaOrganized Industrial Zone İzmir KemalpaşaAsfaltı No:44 Kemalpaşa / İzmir ” by hand or in writing via registered mail with return receipt requested or application in person,

• After filling out the form and signing it with the “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, the form with secure electronic signature By sending by registered e-mail to oranpolyester@hs01.kep.tr address, by using secure electronic signature, mobile signature or the e-mail address previously notified to our Company by the relevant person and registered in our Company’s system, or through a software or application developed for the purpose of application Applying to info@orbond.com

can exercise their rights through ways.

In order for the above-mentioned application to be accepted as a valid application, in accordance with the Communiqué on Application Procedures to the Data Controller, in the application, the relevant person must state that;

1. Name, surname and signature if the application is in writing,

1. Turkish Republic ID number for citizens of the Republic of Turkey, nationality, passport number or ID number, if any, for foreigners,

1. Residential or workplace address for notification,

1. Electronic mail address, telephone and fax number for notification, if any,

1. Subject of request

information is mandatory. Otherwise, the application will not be considered as a valid application. For applications to be made without filling out the application form, the matters listed herein must be submitted to our Company in full.

In order for third parties to make an application request on behalf of the persons whose personal data are processed, there must be a special power of attorney issued by the relevant person through a notary public on behalf of the person who will make the application.

IDENTITY OF THE DATA CONTROLLER

Mersis No                  :  0645035252400001
Internet Address       :  www.orbond.com  

Telephone Number :  0 232 502 14 15
E-Mail Address        :  info@orbond.com

KEP Address                 :  oranpolyester@hs01.kep.tr
Address                      :  Kemalpaşa Organized Industrial Zone İzmir Kemalpaşa Asfaltı No:44 Kemalpaşa / İzmir

This Policy, www.orbond.com awas announced at the time. In this context, the right to make changes in the Policy is reserved in accordance with legislative changes and our Company’s policies. Current version of the Policy with the amendments made www.orbond.com is announced at the address.