SANCAK ETIKET A.Ş

PERSONAL DATA PROTECTION, PROCESSING AND DESTRUCTION POLICY

CONTENTS

1- INTRODUCTION

2- PURPOSE

3- SCOPE

4- PROCESSING OF PERSONAL DATA OBTAINED/TO BE OBTAINED WITHIN THE SCOPE OF EMPLOYEE CANDIDATES, EMPLOYEES AND COMMERCIAL ACTIVITIES (PRODUCERS-SUPPLIERS-SUBCONTRACTORS-CUSTOMERS)
4.1- Documents to be Requested from Employees and Employee Candidates
4.2- Purpose of Processing Personal Data of Employee Candidates
4.3- Sensitive Personal Data of Employees and Employee Candidates
4.4- Places to Which Personal Data of Employee Candidates Can Be Transferred
4.5- Purpose of Processing Employee Personal Data
4.6- Places to Which Employee Personal Data Can Be Transferred
4.7- Purpose of Processing Personal Data of Customers, Suppliers and Visitors
4.8- Sensitive Personal Data of Customers, Suppliers and Visitors
4.9- Places to Which Personal Data of Customers, Suppliers and Visitors Can Be Transferred
4.10- Processing of Personal Data Related to Internet Use
4.11- Processing of Personal Data Related to Security Camera Application

5- RETENTION AND DESTRUCTION PERIODS OF PERSONAL DATA

5.1- Personal Data Recording Media

5.2- Retention Periods of Personal Data

5.3- Destruction of Personal Data

6- SECURITY AND MEASURES FOR PERSONAL DATA

6.1- Technical and Administrative Measures for Processing, Protecting and Retaining Personal Data

7- DESTRUCTION OF PERSONAL DATA

8- RIGHTS OF PERSONAL DATA SUBJECTS

9- ENFORCEMENT AND UPDATABILITY

10- DEFINITIONS

1- INTRODUCTION

Within the scope of the Law No. 6698 on the Protection of Personal Data, which entered into force on March 24, 2016, procedures and principles have been established to protect the fundamental rights and freedoms of individuals—particularly the right to privacy—regarding the processing of personal data, and to define the obligations of natural and legal persons processing such data. Accordingly, this PERSONAL DATA PROTECTION, PROCESSING AND DESTRUCTION POLICY has been prepared to track and ensure the execution of the necessary procedures by the DATA CONTROLLER for storing, processing, and, upon the elimination of the need for such processing and storage, destroying information obtained by our Company and considered personal data under the law.

In this context, in our capacity as the Data Controller as defined under the Personal Data Protection Law, and within the framework of our diligence and responsibility for ensuring the security of personal data of employee candidates, employees, visitors, employees of institutions with whom we collaborate, and other real persons, this policy has been established to ensure the lawful processing, recording, storage, and—within the boundaries permitted by law—transfer/disclosure and destruction of personal data to third parties only for the purposes for which they were processed. These processes will be carried out in compliance with applicable legislation, as well as generally accepted ethical standards and principles of good faith, in a manner that is relevant, limited, and proportionate to the intended processing purpose, and for a period required by the relevant laws or the processing purpose itself.

2- PURPOSE

The main purpose of this Policy is to define the basic principles of the Company regarding the processing and protection of personal data of employee candidates, employees, visitors, employees of institutions with whom we collaborate, and other real persons, and to ensure that such principles are understood by the relevant parties.

3- SCOPE

This Policy covers all personal data of employee candidates, employees, visitors, employees of institutions with whom we collaborate, and other real persons that are processed either automatically or non-automatically as part of a data recording system.

4- PROCESSING OF PERSONAL DATA OBTAINED/TO BE OBTAINED WITHIN THE SCOPE OF EMPLOYEE CANDIDATES, EMPLOYEES, AND COMMERCIAL ACTIVITIES (PRODUCER-SUPPLIER-SUBCONTRACTOR-CUSTOMER)

4.1- Documents to Be Requested from Employees and Employee Candidates:

  • Identity Data

    • Your name, surname, Turkish ID number, date of birth, country and city of birth, gender, marital status, nationality

  • Contact Data

    • Your phone number, full address, email address

  • Sensitive Personal Data

    • Disability status, blood type, reason for military exemption, criminal record, health condition, fingerprint and retina scan, facial scan, etc.

  • Education Data

    • Your education level, school names, graduation details (GPA, academic terms), foreign language skills, trainings, certifications, computer skills

  • Visual and Audio Data

    • Total experience, current work status and title, job experiences (company names, employment periods, job descriptions), driver's license details, skills, hobbies, salary expectations, military service status, reference details

4.2- Purpose of Processing Personal Data of Employee Candidates

The personal data of employee candidates are processed for the following purposes, based on their job applications and the potential establishment of an employment relationship:

  • Recruiting new staff, reviewing applications, identifying suitable candidates
  • Sharing resume notes with managers to better evaluate the candidate
  • Verifying information through the references provided
  • Assessing compatibility with the role and storing the resume for future reference
  • Saving the CV shared via email for potential short or long-term needs

4.3- Sensitive Personal Data of Employees and Employee Candidates

According to the Law on the Protection of Personal Data, sensitive personal data includes race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, association/foundation/union membership, health, sexual life, criminal convictions, security measures, biometric and genetic data.

4.4- Recipients of Personal Data of Employee Candidates

Your personal data may be shared with individuals listed as references and the human resources department managing the recruitment process for the purpose of verification.

4.5- Purpose of Processing Employee Personal Data

The personal data of employees are processed for the following purposes within the framework of the employee-employer relationship:

  • Planning and execution of human resources processes
  • Creation of personnel records and payroll management
  • Employment contract management
  • Provision of health services
  • Assignment of phones, lines, and vehicles to employees
  • Execution of authorization and signature circular processes
  • Emergency preparedness and execution
  • Occupational health and safety procedures
  • Accident and compliance management under OHS
  • Structuring of service procurement contracts
  • Information security planning, auditing, and execution
  • Email account creation and authorization for employees
  • Recording of internet logs
  • Planning and execution of corporate communication
  • Planning of employee travel and managing advance processes
  • Card and shuttle registration for staff entry
  • Continuity of budgeting processes
  • Providing and managing employee training
  • Planning and execution of in-company orientation programs
  • Managing board resolutions
  • Planning and management of general assembly meetings
  • Monitoring of lawsuits and legal matters

4.6- Transfers of Employee Personal Data

Within the scope of the purposes described above, personal data processed may be transferred, in compliance with the fundamental principles set out in the Personal Data Protection Law and under the conditions and purposes specified in Articles 8 and 9 of the Law, to business partners, shareholders, and where relevant, to Public Institutions and Organizations (such as SGK, İşkur, and other legally authorized public bodies), banks, independent audit companies, and commercial partners with whom we maintain business relationships. A portion of your personal data (such as professional qualification certificates, occupational health and safety training forms, SGK records, etc.) may be shared with these parties, as well as other institutions and organizations permitted within the framework of legal regulations.

4.7- Purpose of Processing Personal Data of Customers, Suppliers, and Visitors

  • Product sales
  • Provision of after-sales services
  • Wholesale spare parts and accessories sales
  • Fulfillment of licensee and dealership agreements
  • Execution of collection transactions, including mail orders and transfer instructions
  • Product/service promotions, personalized advertisements, campaigns, and other benefits, sending commercial electronic messages within the scope of loyalty programs, surveys, telesales practices, and providing various advantages via statistical analyses
  • Improving service quality and delivering better service
  • Issuance of invoices in exchange for services provided
  • Procurement of external services
  • Receiving services for areas outside our expertise and obtaining technology services
  • Identity verification
  • Responding to inquiries and complaints
  • Taking necessary technical and administrative measures for data security
  • Ensuring financial reconciliation regarding the products and services provided with relevant partners and third parties
  • Providing necessary information in line with requests and audits of regulatory and supervisory institutions and official authorities
  • Preservation of data required to be retained under applicable regulations
  • Ensuring audit of data consistency
  • Measuring customer satisfaction
  • Using data obtained through the website or social media channels for marketing purposes through third-party agencies
  • Fulfilling legal obligations
  • Execution/follow-up of financial reporting and risk management procedures
  • Execution/follow-up of legal affairs
  • Creation and tracking of visitor records

4.8- Sensitive Personal Data of Customers, Suppliers, and Visitors

Within the scope of the Personal Data Protection Law, sensitive personal data includes information such as race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and appearance, membership in associations, foundations or trade unions, health, sexual life, criminal convictions, security measures, biometric and genetic data.

4.9- Transfers of Personal Data of Customers, Suppliers, and Visitors

Our company may, in accordance with the lawful purposes of personal data processing, transfer personal data and sensitive personal data of data subjects to third parties by taking necessary security measures. While our company generally does not share its records with foreign countries, personal data may be transferred to foreign countries declared to have adequate protection under the Personal Data Protection Law and related regulations. The reasons for such transfers are as follows:

  • If there is an explicit provision in the law regarding the transfer of personal data
  • If transfer of personal data is directly related to the establishment or performance of a contract
  • If it is necessary to transfer personal data to fulfill a legal obligation
  • If it is necessary for the establishment, exercise or protection of a right
  • If it is necessary for the legitimate interests of our Company, provided it does not harm the fundamental rights and freedoms of the personal data subject

4.10- Processing of Personal Data Regarding Internet Use

Within our company, internet access log records related to internal computer and network systems are kept in accordance with the "Law on Regulation of Publications on the Internet and Combating Crimes Committed Through Such Publications" and other relevant legislation. These logs are kept to prevent industrial espionage, unauthorized sharing of company materials, and to monitor activities outside of job responsibilities during working hours. These records may be processed to meet legal obligations or upon request of authorized public institutions or during internal audits of our company.

4.11- Processing of Personal Data Related to Security Camera, Retina Scan, and Fingerprint Applications

Our company may process certain personal and sensitive personal data to ensure workplace safety and security. Surveillance activities using security cameras and biometric systems such as fingerprint and retina scans are carried out to monitor and record employees and guests inside the company premises. These processes are conducted with the awareness of employees and after informing visitors, and technical, administrative, and technological measures are taken to ensure the security of personal data in accordance with the Personal Data Protection Law.

5- RETENTION AND DESTRUCTION PERIODS OF PERSONAL DATA AND DESTRUCTION POLICY

5.1- Personal Data Recording Media

Personal data processed by our company for purposes such as forming employee personnel files, keeping visitor logs, evaluating job applications, and maintaining customer and supplier records are securely stored in both non-electronic (e.g., paper, forms, printed documents) and electronic environments (e.g., servers, software systems, work computers, mobile devices, optical disks, memory devices).

5.2- Retention Periods of Personal Data

Our company stores personal and/or sensitive personal data of employee candidates, employees, customers, suppliers, visitors, and employees of third-party institutions in compliance with the retention conditions specified in the Personal Data Protection Law and for periods stipulated in other relevant laws. If no legal period is specified, data is retained for a period required by the nature of the situation, our company practices, or industry norms. These include:

  • Law No. 6698 on the Protection of Personal Data
  • Turkish Code of Obligations No. 6098
  • Social Insurance and General Health Insurance Law No. 5510
  • Labor Law No. 4857
  • Law No. 5651 on Regulation of Internet Publications and Combating Crimes Committed Through These Publications
  • Occupational Health and Safety Law No. 6331
  • Tax Procedure Law No. 213
  • Turkish Civil Code No. 4721
  • Turkish Commercial Code No. 6102
  • Code of Execution and Bankruptcy No. 2004, and other legislation governing the retention periods of personal data

5.3- Destruction of Personal Data (Deletion, Erasure, and Anonymization)

Personal data processed by our company will be deleted, erased, or anonymized in the following cases, in accordance with the Regulation on Deletion, Erasure, or Anonymization of Personal Data:

  • When all conditions for processing personal data cease to exist
  • If the data subject withdraws their explicit consent
  • Upon request by the data subject for deletion, erasure, or anonymization of their personal data
  • Upon decision of the Personal Data Protection Board
  • When the retention period required by law expires, personal data is deleted, erased, or anonymized ex officio or upon the request of the data subject

6- PERSONAL DATA SECURITY AND MEASURES

6.1- Technical and Administrative Measures for the Processing, Protection, and Storage of Personal Data

Our company has established or will establish policies to ensure the secure storage of personal and sensitive personal data, to prevent unauthorized access by third parties, to prevent processing for purposes other than those legally permitted, and to ensure deletion when the purpose of storage ceases to exist.

Technical Measures

  • Protection of computer systems using antivirus software against external interventions
  • Authorization and restriction of access to IT systems; disabling access for former employees
  • Performing penetration tests on IT systems and implementing necessary measures based on results
  • Restricting access to server rooms, logging personal data access
  • Applying special protection measures for sensitive personal data
  • Regularly updating and securing computer passwords; employing technical experts
  • Securely storing printed documents in locked areas accessible only by authorized personnel

Administrative Measures

  • Providing relevant training to personnel
  • Conducting internal audits
  • Creating inventories

7- DESTRUCTION OF PERSONAL DATA

When the conditions listed above are met, personal data is destroyed:

  • Data on servers and in electronic environments is permanently deleted and access is revoked
  • Physical records are destroyed using shredders; USB drives, optical and magnetic cards are physically destroyed
  • Our company’s periodic data destruction interval is set at 6 months; however, if data is found to no longer meet processing conditions or exceed legal retention periods, destruction is carried out immediately

Data anonymization: Personal data processed by our company may be anonymized upon cessation of the processing purpose or at the request of the data subject, making it impossible to associate the data with an identifiable real person, even by matching with other data.

8- RIGHTS OF PERSONAL DATA SUBJECTS

In accordance with Article 11 of the Personal Data Protection Law, individuals may apply in person, verifying their identity, to:

  • Learn whether their personal data is processed
  • Request information if personal data has been processed
  • Learn the purpose of processing and whether data is used in line with this purpose
  • Know the third parties to whom personal data is transferred domestically or abroad
  • Request correction of personal data if it is incomplete or incorrectly processed
  • Request deletion or destruction of personal data within the framework of Article 7
  • Request that actions taken under (d) and (e) are notified to third parties to whom personal data has been transferred
  • Object to results arising against them from analysis by automated systems
  • Request compensation if they suffer damage due to unlawful processing of personal data

Requests will be finalized within thirty days, free of charge, depending on the nature of the request. However, if the process incurs a cost, a fee determined by the Personal Data Protection Board may be charged.

9- ENFORCEMENT AND UPDATABILITY

This policy on the Processing, Protection, Storage, and Destruction of Personal Data, created by our workplace, may be updated from time to time in accordance with legal legislation, practice regulations, and the needs of the company. These updates will be shared through appropriate methods and our website, and relevant individuals may follow them to stay informed of changes.

SANCAK ETIKET MATBAA AMBALAJ INSAAT SANAYI VE TICARET A.Ş. (Data Controller)
NOSAB Meşe Cad. No:24 Nilüfer / BURSA

10- DEFINITIONS

Personal Data: Any information relating to an identified or identifiable natural person.

Personal Data Subject: The natural person whose personal data is processed.

Processing of Personal Data: Any operation performed on personal data, whether fully or partially automatic, or non-automatic provided that it is part of a data recording system, including collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, making data available, classification, or preventing its use.

Sensitive Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing and appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data.

Explicit Consent: Freely given, specific, informed consent regarding a particular subject.

Anonymization: Making personal data impossible to associate with an identifiable individual, even when matched with other data.

Employees, Shareholders, and Authorized Persons of Partner Institutions: Natural persons working in institutions with which our company has business relationships (e.g., partners, suppliers), including their shareholders and authorized representatives.

Third Parties: Other natural persons not covered by this Policy or the Personal Data Protection Policy (e.g., guarantors, companions, employee candidates).

Data Controller: The person who determines the purposes and means of processing personal data and manages the data recording system.

Visitor: Real persons who enter properties owned by our company for various purposes or visit our websites.

DOWNLOAD