Personal Data Protection, Processing and Privacy Policy

PERSONAL DATA PROTECTION, PROCESSING AND PRIVACY POLICY

GLASSTECH FIRIN REFRAKTER ÇELİK İNŞAAT TURİZM SANAYİ VE TİCARET A.Ş. (hereinafter referred to as “GTR” and/or the “Company”) processes the personal data of its employees and other natural persons who establish a relationship with the Company by applying for a job or through any other means or channel, in a lawful manner in order to carry out its activities.

Personal Data Protection, Processing and Privacy Policy

This policy outlines the principles and procedures followed by Glasstech Furnace Refractory Steel Construction Tourism Industry and Trade Inc. (“GTR”) for the protection and processing of personal data in accordance with the Law on the Protection of Personal Data No. 6698 (KVKK). Personal data may be collected and processed through various communication channels in order to carry out company activities, ensure legal and commercial security, manage human resources processes, and maintain business operations. Data are processed lawfully, for specific and legitimate purposes, and only for the period required by applicable legislation or operational needs. GTR implements the necessary technical and administrative measures to ensure the confidentiality, integrity, and security of personal data, and provides data subjects with the rights granted under the KVKK.

This Personal Data Protection, Processing and Privacy Policy (“Policy”) has been prepared in order to provide the necessary information by explaining the set of rules regarding the processing of personal data, as well as the data processing activities carried out by our Company and the relevant systems.

In this context, the processing of personal data within the scope of the Law on the Protection of Personal Data No. 6698 (“KVKK” or the “Law”), the data subjects whose personal data are processed and their rights, and the use of cookies and similar technologies are explained in detail.

With the entry into force of additional legislation under the Law and/or amendments to be made to this Policy from time to time, the current version of this Policy can be monitored and accessed via the corporate websites www.glasstechrefractory.com and www.gtref.com.

DEFINITIONS

Explicit Consent: Refers to consent that is based on being informed and expressed with free will, relating to a specific subject.

Anonymization: Refers to rendering personal data incapable of being associated with an identified or identifiable natural person in any way, even when matched with other data.

Data Subject / Relevant Person: Refers to the natural person whose personal data are processed.

Law: Refers to the Law on the Protection of Personal Data.

Recording Medium: Refers to any environment in which personal data processed fully or partially by automated means or by non-automated means forming part of any data recording system are stored.

Personal Data Processing Inventory: Refers to the inventory created by data controllers by associating their personal data processing activities, carried out depending on their business processes, with the purposes of processing personal data, data category, recipient group to whom the data are transferred and data subject group, and by detailing the maximum period required for the purposes for which personal data are processed, the personal data envisaged to be transferred abroad and the measures taken regarding data security.

Personal Data Subject / Data Subject: Refers to the natural person whose personal data are processed.

Personal Data: Refers to any information relating to an identified or identifiable natural person.

Processing of Personal Data: Refers to any operation which is performed on personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transfer, acquisition, making available, classification, or prevention of use, wholly or partially by automated means or by non-automated means which form part of a data recording system.

Law on the Protection of Personal Data (“KVKK”): Refers to the Law No. 6698 dated 24 March 2016, published in the Official Gazette dated 7 April 2016 and numbered 29677, which is the subject of this Policy.

Board: Refers to the Personal Data Protection Board.

Authority / Institution: Refers to the Personal Data Protection Authority.

Special Categories of Personal Data: Refers to data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

Policy: Refers to this Personal Data Protection, Processing and Privacy Policy.

Registry: Refers to the Data Controllers Registry kept by the Personal Data Protection Authority.

Company: Refers to GLASSTECH FIRIN REFRAKTER ÇELİK İNŞAAT TURİZM SANAYİ VE TİCARET ANONİM ŞİRKETİ.

VERBIS: Refers to the Data Controllers Registry Information System.

Data Processor: Refers to the natural or legal person who processes personal data on behalf of the data controller upon the authorization granted by the data controller.

Data Recording System: Refers to the recording system in which personal data are structured and processed according to specific criteria.

Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

For any definitions not included in this Policy, the definitions in the Law and secondary legislation shall be applicable.

PERSONAL DATA

GENERAL PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA

In accordance with Article 4(2) of the Law and within the scope of the purposes exemplified under the section “Purposes of Processing Personal Data”, our Company processes personal data in compliance with the following principles:

Being processed lawfully and fairly,
Being accurate and, where necessary, kept up to date,
Being processed for specific, explicit and legitimate purposes,
Being relevant, limited and proportionate to the purposes for which they are processed,
Being retained for the period stipulated in the relevant legislation or for the period necessary for the purposes for which they are processed.

DATA PROCESSED BY OUR COMPANY

Personal data are processed by our Company on the basis of explicit consent obtained from data subjects or, where applicable, without being subject to explicit consent within the framework of the circumstances in which processing activities may be carried out pursuant to Articles 5 and 6 of the Law. Such data are processed only for the purposes exemplified under the section “Purposes of Processing Personal Data”.

The types of personal data processed in accordance with the above-mentioned principles vary and differ depending on the nature and type of the relationship between our Company and the data subject, the communication channels used and the stated purposes, and may be summarized as follows:

Information identifying the data subject such as name, surname, profession, title, employment information, educational background, gender, marital status, spouse/child information, nationality status, military service status, criminal record information, tax liability status,
Data contained in identification documents such as a copy of identity card, copy of civil registry record, passport and driving licence, including date of birth, place of birth, identity number, blood type, religion and photograph,
Contact information such as address, e-mail, telephone and fax number, as well as communication records within the scope of telephone calls and e-mail correspondence and other voice data,
Personal data relating to natural persons contained in documents relating to legal entities such as tax certificate, trade registry gazette, power of attorney, certificates of competence, signature circulars and certificates of activity,
Detailed financial data relating to pricing, reconciliations, collections and payment activities.

LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

The granting of explicit consent by the data subject is only one of the legal grounds that enable the lawful processing of personal data. Apart from explicit consent, personal data may also be processed if one of the other conditions set out below is present. The legal basis of a personal data processing activity may be only one of these conditions, or more than one of these conditions may apply to the same personal data processing activity.

Where the data to be processed are special categories of personal data, the following conditions apply.

The legal grounds for the processing of personal data are as follows:

Presence of the data subject’s explicit consent,
Being expressly prescribed by laws,
Impossibility of obtaining the explicit consent of the data subject due to actual impossibility,
Necessity of processing for the conclusion or performance of a contract,
Necessity for our Company to fulfil its legal obligations,
Personal data having been made public by the data subject,
Necessity of data processing for the establishment, exercise or protection of a right,
Necessity of data processing for the legitimate interests of our Company, provided that the fundamental rights and freedoms of the data subject are not harmed.

Although the legal grounds for the processing of personal data by our Company differ, in all personal data processing activities our Company acts in accordance with the general principles set out in Article 4 of the Law.

LEGAL GROUNDS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

In Article 6 of the Law, certain categories of personal data which involve a risk of causing victimization or discrimination if processed unlawfully are defined as “special categories of personal data”. These data include: data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

In compliance with the Law, special categories of personal data are processed by our Company under the following conditions, provided that adequate measures determined by the Board are taken:

If the data subject has given explicit consent; or
If the data subject has not given explicit consent:
- Special categories of personal data relating to the data subject, other than those concerning health and sexual life, may be processed where expressly prescribed by law;
- Special categories of personal data relating to the data subject’s health and sexual life may only be processed by persons or authorized institutions and organizations under an obligation of confidentiality, for the purposes of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing.

CLASSIFICATION OF DATA SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED BY OUR COMPANY

The natural persons whose personal data are processed by our Company are limited to members, potential members, employee candidates, visitors, supplier/business partner employees, Company representatives and third parties. The categories of data subjects included in the foregoing are detailed below. Our Company’s employees are assessed under the Employee Policy.

Member: Natural persons who are members of our Company, or natural person representatives of corporate members.
Prospective Member: Natural persons who are or may be interested in becoming a member of our Company.
Employee Candidate: Natural persons who have applied for a job at our Company by any means and have submitted a CV.
Visitor: Natural persons who have physically visited our Company or visited its website in any way.
Supplier/Business Partner Employees: Employees and authorized representatives of entities with which our Company has any kind of business relationship, from which it receives services or with which it cooperates.
Company Representatives: Members of the Board of Directors and shareholders of our Company.
Third Parties: Natural persons (such as guarantors, family members, relatives, etc.) whose personal data are processed by our Company due to its legal obligations or Company procedures.

PURPOSES OF PROCESSING PERSONAL DATA

Personal data may be processed by our Company for the following purposes and may be retained for the period stipulated by such purposes and the relevant statutory retention periods:

Planning and execution of corporate sustainability activities,
Ensuring the legal and commercial security of our Company and the persons who are in a business relationship with our Company,
Conducting activities for the determination and implementation of our Company’s strategies,
Ensuring the activation of membership procedures in accordance with the Law on Associations and all related legislation,
Carrying out our activities in line with the interests, policies, principles and objectives defined in the Articles of Association of GTR COMPANY,
Providing members with facilities such as membership, invitations and participation in events, and carrying out all necessary procedures in order to provide such facilities,
Customizing the products and services offered by GTR COMPANY and its related companies/entities and other natural and/or legal persons listed below in accordance with your preferences, usage habits and needs,
Conducting our human resources policies and meeting staffing needs,
Within the scope of the purposes and activities of GTR COMPANY, its related companies/entities and the other natural and/or legal persons listed below,
- Providing information regarding their services,
- Offering you the opportunity to benefit from their services and facilities related to their fields of activity,
- Informing and enabling you to benefit from their general and special campaigns and advantages such as promotions, announcements and discounts,
- Informing you of developments in relation to events, contents and goods and services offered by them,
- Informing you of conferences, seminars, fairs, workshops, governing bodies, member meetings and similar events organized by GTR COMPANY,
Evaluating personal data and information in anonymized form for statistical studies in order to improve services,
Informing you of the contents, facilities and developments relating to the sponsors, supporters, business partners, contracted institutions and events of GTR COMPANY,
Informing you of information, events and services requested by members,
Processing personal data, preferences, transactions and navigation time and details on platforms accessed via username and password through the www.glasstechrefractory.com and www.gtref.com websites together with other obtained data,
Managing and fulfilling requests or complaints,
Managing applications/mobile applications,
Ensuring the security of personal data retained by GTR COMPANY and, for this purpose, transferring personal data for storage,
Making copies/backups in order to prevent data losses,
Ensuring the fulfilment of legal obligations as required by or mandated under legal regulations, and
For the other purposes set out in the Law.

TRANSFER OF PERSONAL DATA

Within the framework of the purposes exemplified under the section “Purposes of Processing Personal Data” and in accordance with Articles 8 and 9 of the Law, our Company may transfer personal data domestically and abroad, and such personal data may be processed and stored on servers and electronic media used for this purpose.

The nature of these transfers and the parties to whom data are transferred vary depending on the nature and type of the relationship between the data subject and our Company, the purpose of transfer and the relevant legal basis. In general, the parties to whom data may be transferred are as follows:

Service providers from which our Company receives services and which are necessary for the continuity of our Company’s business processes, limited to the scope of the relevant services,
Public institutions and organizations, limited to the fulfilment of our Company’s legal obligations,
Private law persons authorized by law, limited to the scope of their legal authority and for the requested purpose,
Domestic and foreign third parties from which services are received,
Persons and entities from which services and/or consultancy are obtained,
Business partners with whom contracts have been executed,
Suppliers / business partners.

COLLECTION OF PERSONAL DATA

In order to fulfil the purposes exemplified under the section “Purposes of Processing Personal Data”, our Company may collect personal data directly from employees and suppliers, call centres, public institutions and other physical environments, as well as through websites, mobile applications, social media and other publicly available media or through training sessions, organizations and similar events, within the framework of the conditions stipulated in Articles 5 and 6 of the Law.

RETENTION PERIOD OF PERSONAL DATA

Personal data are retained within our Company for the statutory retention periods, and for as long as necessary for the activities and purposes related to such data. Upon expiry of the purpose of use and the statutory retention periods, personal data are deleted, destroyed or anonymized by our Company pursuant to Article 7 of the Law.

In this context, our Company has established the necessary operational mechanisms within the Company, and takes the necessary technical and administrative measures in order to fulfil its obligations. Our Company also trains, assigns and ensures the awareness of the relevant business units to ensure compliance with these obligations.

RIGHTS OF THE DATA SUBJECT UNDER THE LAW

Article 11 of the Law regulates the rights of natural persons whose personal data are processed. Under this Article, data subjects have the following rights vis-à-vis our Company:

To learn whether their personal data are processed,
To request information if their personal data have been processed,
To learn the purpose of processing of their personal data and whether they are used in accordance with their purpose,
To know the third parties to whom their personal data are transferred, domestically or abroad,
To request rectification of their personal data if they are incomplete or incorrectly processed,
To request the deletion or destruction of their personal data under the conditions set out in the relevant legislation,
To request that the rectification, deletion or destruction carried out in accordance with the relevant legislation be notified to third parties to whom their personal data have been transferred,
To object to the emergence of a result against themselves by means of analysis of processed data exclusively through automated systems,
To claim compensation for damages in case they suffer damage due to the unlawful processing of their personal data.

Requests from data subjects for the exercise of the above-mentioned rights shall be fulfilled by our Company within 30 days at the latest.

These requests may be submitted:

In person, together with identity documents, by delivery to the address Çobanyıldızı Cd. No:44, 34873 Kartal/İstanbul,
By sending via notary public, or
By sending to the address [email protected] via KEP/UETS/e-mail with secure electronic signature.

If the fulfilment of the requests requires an additional cost, our Company may request a fee at the rates determined in the relevant legislation.

TRANSFER OF PERSONAL DATA ABROAD

For the purposes of processing, storage, management or any other specified use, personal data may be transferred abroad in compliance with the data protection legislation, in order to fulfil the purposes exemplified under the section “Purposes of Processing Personal Data”. Our Company takes the necessary measures to ensure that personal data are adequately protected in such transfers.

SECURITY OF PERSONAL DATA

Our Company attaches importance to the confidentiality and security of personal data. Accordingly, the necessary technical and administrative security measures are taken to protect personal data against unauthorized access, damage, loss or disclosure. In this respect, our Company implements the necessary system access controls, data access controls, secure transfer controls, business continuity controls and other relevant corporate controls.

MEASURES TAKEN FOR THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the Law, our Company takes appropriate technical and administrative measures to prevent the unlawful processing of personal data and unlawful access to personal data and to ensure the secure retention of such data, and conducts or commissions the necessary audits in this context.

In this regard, our Company takes into account the special category of the personal data, the degree of confidentiality required by their nature, and the potential impact on the rights and freedoms of the data subject in the event of a security breach.

ADMINISTRATIVE MEASURES TAKEN BY OUR COMPANY

Training activities have been carried out to raise employees’ awareness regarding the protection of personal data.
A personal data security policy has been established and the necessary efforts have been made to ensure compliance with this policy.
Personal data that are no longer necessary for the purposes of processing are no longer retained.
Additional protocols on data security and transfer have been executed with data processors.
A personal data processing inventory has been prepared.

TECHNICAL MEASURES TAKEN BY OUR COMPANY

Security measures such as firewalls and gateways have been implemented to protect against unauthorized access via the internet.
Physical environments containing personal data are protected against external risks using appropriate methods, and entry and exit to such areas are controlled.
Commitments have been obtained from the cloud storage service provider regarding the sufficiency and appropriateness of the security measures it has implemented.
Data backup activities are carried out.

PUBLICATION AND RETENTION OF THE POLICY

The Policy is published in two different formats, namely as a wet-ink signed (hard copy) document and in electronic form, and is made publicly available on the Company’s website. The hard copy is also kept on file by the Contact Person/Personal Data Protection Committee.

COOKIES

Detailed information regarding our Company’s Cookie Policy can be accessed via www.glasstechrefractory.com and www.gtref.com.

EFFECTIVENESS AND UPDATES

This Policy entered into force on 01.01.2020, the date on which it was approved by our Company. The Policy is published on the Company’s website for an indefinite period and may be directly communicated to the data subject upon request by sharing the text or an access link.

Any amendments to the Policy shall enter into force following the approval of our Company. As a rule, the Policy is reviewed and updated once a year. However, in line with changes in legislation, amendments to any technical standard referred to, actions and/or decisions of the Personal Data Protection Board and court decisions, our Company reserves the right to review this Policy and, where necessary, to update or amend it, or to abolish it and adopt a new policy.

The authority to decide on the abolition of the Policy rests with our Company. If it is decided to abolish the Policy, the wet-ink signed hard copies of this Policy shall be cancelled and signed by the relevant unit and retained for 5 years.