RÖNESANS STEEL PERSONAL DATA PROTECTION AND PROCESSING POLICY


RÖNESANS STEEL PERSONAL DATA PROTECTION AND PROCESSING POLICY

INTRODUCTION

Based on Article 20 of the Constitution of the Republic of Türkiye and the Law No. 6698 on the Protection of Personal Data (KVKK), everyone has the right to request the protection of their personal data. This right includes the right to be informed about personal data related to oneself, to access such data, to request their correction and/or deletion and to learn whether they are used for their intended purposes.

Article 20 of the Constitution of the Republic of Türkiye and the Law No. 6698 on the Protection of Personal Data regulate the obligations of natural and legal persons who process personal data and the procedures and principles for the protection of fundamental rights and freedoms of individuals in the processing of personal data.

PURPOSE

Rönesans Steel Construction Industry & Trade Inc. (Rönesans Steel) Personal Data Protection and Processing Policy (Policy) has been prepared in order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, and to regulate the obligations of real and legal persons who process personal data and the procedures and principles to be followed.

The Policy aims to maintain and improve the activities carried out by Rönesans Steel in compliance with the principles set forth in the KVK Law and to inform the owners of personal data.

SCOPE

Data owners whose personal data are processed within the scope of this Policy are categorized as follows.

  • Employees: Real persons who continue their employment relationship with Rönesans Steel.
  • Employee Candidates: Natural persons who apply for a job at Rönesans Steel or who make their resume and related information available to Rönesans Steel through any means.
  • Former Employees: Real persons whose employment relationship with Rönesans Steel has ended.
  • Visitors: Natural persons who have entered the physical facilities of Rönesans Steel for various purposes or who visit the websites.
  • Third Parties: Other natural persons, including but not limited to family members, etc., whose personal data are processed within the framework of this Policy, although not defined in the Policy.

DEFINITIONS

The definitions used in this Policy are given below:

  • Explicit Consent: Consent on a specific subject, based on information and expressed with free will.
  • Anonymization: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
  • Application Form: The form to be used by the owners of personal data whose personal data are processed within Rönesans Steel when using their applications regarding their rights described in Article 11 of the KVK Law.
  • Employee: Real persons who are dependent on Rönesans Steel and employed for a definite or indefinite period of time.
  • Employee Candidate: Real persons who apply for a job at Rönesans Steel or who make their resume and related information available to Rönesans Steel through any means.
  • Personal Health Data: Any health information relating to an identified or identifiable natural person.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
  • KVK Law: Law No. 6698 on the Protection of Personal Data.
  • KVK Board: Personal Data Protection Board.
  • KVK Institution: Personal Data Protection Board.
  • Sensitive Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
  • Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.
  • Personal Data Owner: The natural person whose personal data is processed and who is considered as “relevant person” in the KVK Law.
  • Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
  • Visitor: Natural persons who have entered the physical facilities of Rönesans Steel for various purposes or who visit the websites.

GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

Pursuant to Article 3 of the KVK Law, all kinds of operations performed on personal data such as obtaining, recording, storing, maintaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system fall within the scope of processing personal data.

The following principles must be complied with in the processing of personal data:

  • Compliance with the law and good faith: Our Company carries out its personal data processing activities in accordance with the law and honesty rules in accordance with the KVK Law and the relevant legislation, especially the Constitution.
  • Being accurate and up to date when necessary: While carrying out the processing of personal data by our Company, all kinds of administrative and technical measures are taken to ensure the accuracy and currentness of personal data.
  • Processing for specific, explicit and legitimate purposes: Our Company explicitly and precisely determines its legitimate purpose for processing personal data before starting the processing of personal data.
  • Being relevant, limited and proportionate to the purpose for processing: Personal data are processed by our Company as long as necessary to fulfill the specified purposes. Data processing activities are not carried out with the assumption that it can be used later.
  • Retention for the period stipulated in the relevant legislation or required for the purpose for processing: Our Company stores personal data limited to the period stipulated in the KVK Law and the relevant legislation or as required by the purposes of the data processing activity. If the purpose of processing personal data has expired and the retention periods determined by the relevant legislation and/or our Company have expired, personal data may only be stored in order to constitute evidence in possible legal disputes, to assert the relevant right related to personal data or to establish a defense. Personal data are not stored by our Company based on the possibility of future use.

CONDITIONS OF PROCESSING PERSONAL DATA

Our Company may process personal data and sensitive personal data with the explicit consent of the personal data owner or without explicit consent in cases stipulated in Articles 5 and 6 of the KVK Law.

Processing of Personal Data

As a rule, our Company processes your personal data based on your explicit consent. However, we carry out our personal data processing activities in accordance with the data processing conditions set forth in Article 5 of the KVK Law without seeking your explicit consent:

  • Explicitly stipulated in the law.
  • Being mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
  • Provided that it is directly related to the conclusion or performance of a contract, being necessary to process personal data of the parties to the contract.
  • Being mandatory for our company to fulfill its legal obligations.
  • Been made public by the personal data owner himself/herself.
  • Data processing being mandatory for the establishment, exercise or protection of a right.
  • Data processing being mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

Processing of Special Categories of Personal Data:

Our Company carries out the processing of personal data of special nature in accordance with the data processing conditions set forth in Article 6 of the KVK Law. In addition, it is also essential to take adequate measures determined by the KVK Board in the processing of special categories of personal data.

Processing of sensitive personal data without the explicit consent of the personal data owner is prohibited. However, in the following cases, special categories of personal data may be processed without the explicit consent of the personal data owner:

  • Processing of Personal Health Data: Personal health data may be processed in the presence of one of the conditions listed below, provided that (i) adequate measures are taken as stipulated by the Ministry of Health, (ii) general principles are complied with, (iii) confidentiality is maintained:
    • Written explicit consent of the personal data owner.
    • Protection of public health.
    • Preventive medicine.
    • Carrying out medical diagnosis, treatment and care services.
    • Planning and management of health services and financing.
  • Processing of Sensitive Personal Data other than Health and Sexual Life: Data within this scope will be available with the explicit consent of the personal data owner or in cases stipulated by law.

ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA

In accordance with Article 12 of the KVK Law, our Company takes all necessary technical and administrative measures to prevent unlawful processing and access to the personal data it processes and to ensure the appropriate level of security to ensure the protection of personal data.

Technical Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access

  • Rönesans Steel has taken all kinds of technical security measures to protect your personal data and has protected your personal data against possible risks.
  • Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and audited.
  • Software and hardware including virus protection systems and firewalls are available.
  • Systems in line with technological developments are used to store personal data in secure environments.

Administrative Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access

  • Company employees are provided with training and awareness raising regarding the KVK Law.
  • Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the Law and cannot use them for purposes other than processing, and that this obligation will continue after they leave their duties, and necessary commitments are obtained from employees in this direction.

Measures to be Taken in Case of Unlawful Disclosure of Personal Data

In the event that the processed personal data is obtained by others illegally despite the necessary security measures taken, our Company will notify the relevant data owner and the KVK Board as soon as possible.

PURPOSES OF PROCESSING AND STORAGE PERIODS OF PERSONAL DATA

Purposes of Processing Personal Data

Personal data are processed by our Company for the purposes listed below:

  • Planning and execution of business activities,
  • Planning, supervision and execution of occupational health and safety processes,
  • Providing information to authorized institutions and organizations due to legislation,
  • Managing the recruitment processes of employee candidates,
  • Fulfillment of obligations arising from the employment contract and legislation for Company employees,
  • Execution/follow-up of financial reporting and risk management processes,
  • Execution/follow-up of legal affairs and transactions,
  • Planning and execution of the necessary audit activities to ensure that the activities are carried out in accordance with the Company’s procedures and relevant legislation,
  • Planning and execution of corporate sustainability activities,
  • Carrying out activities to protect the reputation of our company,
  • Planning and execution of corporate governance and communication activities,
  • Creation and follow-up of visitor records.

Retention Periods of Personal Data

Our Company determines whether a period of time is stipulated in the relevant legislation for the storage of personal data. If a period is stipulated in the relevant legislation, it complies with this period; If a period is not stipulated, it retains personal data for the period required for the purpose for which they are processed. If the purpose of processing personal data has expired and the retention periods determined by the relevant legislation and/or our Company have expired, personal data may only be stored in order to constitute evidence in possible legal disputes, to assert the relevant right related to personal data or to establish a defense. Personal data are not stored by our Company based on the possibility of future use.

DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Pursuant to Article 7 of the KVK Law, personal data shall be deleted, destroyed or anonymized by our Company ex officio or upon the request of the personal data owner, if the reasons requiring the processing of personal data disappear, even though the personal data has been processed in accordance with the relevant legislation.

The procedures and principles regarding this matter will be fulfilled in accordance with the KVK Law and the Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224.

When you request the deletion or destruction of your personal data by applying to our company; If all the conditions for processing personal data have disappeared; your personal data subject to the request will be deleted, destroyed or anonymized. Your request will be finalized within thirty days at the latest and you will be informed.

If all the conditions for processing personal data have not disappeared, your request may be rejected by explaining the reason in accordance with paragraph 3 of Article 13 of the KVK Law and the rejection response will be notified to you in writing or electronically within 30 days at the latest.

Techniques for Deletion and Destruction of Personal Data

Deletion of personal data is the process of making personal data inaccessible and non-reusable in any way for the relevant users. Destruction of personal data is the process of making personal data…

Techniques for Anonymization of Personal Data

It means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED AND PURPOSES OF TRANSFER

The procedures and principles to be applied in personal data transfers are regulated in Articles 8 and 9 of the KVK Law, and the personal data and sensitive personal data of the personal data owner may be transferred to domestic and foreign third parties. Your personal data may be processed by Rönesans Steel in accordance with the Law and other legislation in order to ensure legal, technical and commercial business security and to maintain activities, and may be shared with legally authorized public institutions and organizations, legally authorized private law persons, including but not limited to those listed.

Domestic Transfer of Personal Data

In accordance with Article 8 of the KVK Law, the transfer of personal data within the country will be possible provided that one of the conditions specified in section 6 of this Policy titled “Conditions for Processing Personal Data” is met.

Transfer of Personal Data Abroad

In accordance with Article 9 of the KVK Law, in case personal data is transferred abroad, in addition to the fulfillment of the conditions regarding domestic transfers, the existence of one of the following issues is sought:

  • The country to which the transfer will be made is counted among the countries with adequate protection announced by the KVK Board
  • In the absence of adequate protection in the country of transfer, the data controllers in Türkiye and in the relevant foreign country undertake in writing to provide adequate protection and the permission of the KVK Board is obtained

Groups of Persons to whom Personal Data is Transferred by our Company

In accordance with Articles 8 and 9 of the KVK Law and within the scope of this Policy, our Company may transfer the personal data of the personal data owners within the scope of this Policy to the following groups of persons for the specified purposes:

  • Public Institutions and Organizations: Public institutions and organizations authorized to receive information and documents of our Company in accordance with the provisions of the relevant legislation. Limited to the purpose requested by the relevant public institutions and organizations within the framework of their legal authority.
  • Legally Authorized Private Law Persons: Private law persons authorized to obtain information and documents from our Company in accordance with the provisions of the relevant legislation. Limited to the purpose requested by the relevant private law persons within their legal authority.

DISCLOSURE OBLIGATION OF OUR COMPANY

In accordance with Article 10 of the KVK Law, personal data owners should be informed during the collection of personal data. In this context, our Company fulfills its disclosure obligation on the following issues:

  • Title of our Company as the data controller
  • The purpose for which personal data will be processed
  • To whom and for what purpose the processed personal data can be transferred
  • Method and legal grounds for collecting personal data
  • The rights of the personal data owner specified in section 12.1 of this Policy titled “Right of Petition”

RIGHTS OF PERSONAL DATA OWNERS AND EXERCISE OF THESE RIGHTS

In accordance with Article 13 of the KVK Law, the evaluation of the rights of personal data owners and the necessary information to the personal data owners are carried out through the Petition Form on www.ronesanscelik.com.tr as well as this Policy. Personal data owners will be able to send us their complaints or requests regarding the processing of their personal data within the framework of the principles specified in the relevant form.

Right of Petition

Pursuant to Article 11 of the KVK Law, anyone can make petitions regarding the following issues:

  • Learn whether their personal data is being processed,
  • Request information if their personal data has been processed,
  • Learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  • Learn the third parties to whom personal data are transferred domestically or abroad,
  • Request correction of personal data in case of incomplete or incorrect processing and request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • Request the deletion, destruction or anonymization of personal data in the event that the reasons requiring the processing of personal data disappear and request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • Object to the occurrence of a result to the detriment of the data subject by analyzing the processed data exclusively through automated systems,
  • Request compensation for damages in case of damage due to unlawful processing of personal data.

Situations Excluded from the Scope of the Right of Petition (Exceptions)

Pursuant to Article 28 of the KVK Law, it will not be possible for personal data owners to assert their rights in the following cases:

  • Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that their personal data is not disclosed to third parties and the obligations regarding data security are complied with.
  • Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
  • Processing of personal data by judicial or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to paragraph 2 of Article 28 of the KVK Law, data owners will not be able to assert the rights of personal data owners, except for the right to demand compensation for the damage:

  • Processing of personal data is necessary for the prevention of crime or criminal investigation.
  • Processing of personal data made public by the data subject him/herself.
  • Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
  • The processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.

Response Procedure

In accordance with Article 13 of the KVK Law, our Company will finalize the petition requests made by the personal data owner, free of charge, as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. In accordance with Article 13 of the KVK Law, your application must be submitted to our Company in writing or by other methods determined by the KVK Board.

The petition of the personal data owner may be rejected in the following cases:

  • Preventing the rights and freedoms of other persons.
  • Requiring disproportionate effort.
  • The information is publicly available.
  • Compromising the privacy of others.
  • Existence of one of the situations excluded from the scope pursuant to the KVK Law.

PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITHIN THE COMPANY AND DATA PROCESSING ACTIVITIES CARRIED OUT ON THE WEBSITE

Entry and Exit of Customers Visiting the Company

Personal data processing activities are carried out to track the entry and exit of our guests who visit our company. While obtaining the name-surname information of the persons who come to our company, the data in question are processed only for this purpose and the relevant personal data are recorded in the recording system in physical environment.

Website Visitors

Internet movements within the website are recorded in order to ensure that people who visit our company’s website can perform their visits in accordance with their purpose of visit, to show them customized content and to carry out online advertising activities.

KVK Project Team

In order to fulfill its obligations under the KVK Law, Rönesans Steel makes the necessary assignments within the company for the implementation of the matters specified in this Policy and establishes procedures accordingly. A Project Team has been established by Rönesans Steel to manage this Policy and the procedures related to this Policy within the scope of the KVK Law. The Project Team has duties such as distributing the necessary tasks to raise awareness within the company, following up the audits to be carried out, taking the necessary actions to resolve the applications of the relevant persons, conducting relations with the KVK Institution, etc.

This Policy may be revised by Rönesans Steel when deemed necessary. In case of revision, the most up-to-date version of the Policy will be available on the Company’s website.