Personal Data Protection Policy

As Sönmez Cement, we attach importance to the privacy and security of your personal data. In this context, we would like to inform you about how we process, use and protect the personal data we obtain from our customers, suppliers, business partners, employees and officials and all other third parties when conducting our business relations.

All concepts and statements used in this notice shall refer to the meaning attributed to them in the Personal Data Protection Law No. 6698 (“KVKK”) and other legislation. The term “you” in this Notice refers to you. The term personal data is used to include personal data of special quality. The meanings expressed by the terms and abbreviations in The Policy are included in the Appendix – Abbreviations section.

We would like to remind you that if you do not choose to process your personal data as set out in the Policy, you should not pass on your personal data to us.

Please note that it is your responsibility to ensure that the personal data you transmit to our company is accurate, complete and up-to-date as far as you know. Furthermore, if you share other people’s data with us, it will be your responsibility to collect such data in accordance with local legal requirements. In this case, it will mean that you have obtained all necessary permissions from the third party in question for us to collect, process, use and disclose their information, and our Company shall not be held responsible for this.

ABOUT SÖNMEZ CEMENT

Sönmez Cement Construction and Mining Industry and Trade Ltd. started production in Adana Yumurtalık TAYSEB Free Zone in October 2014. The factory, which started construction in December 2012, has been designed in accordance with current environmental legislation with state-of-the-art de-pollen systems and also maintains it’s green factory feature with the use of alternative fuel and renewable energy sources.

With a 413-acre field and more than 200 employees, Sönmez Cement is the first and only cement factory in Türkiye that is allowed to be established within free zones. Sönmez Cement, which commissioned it’s own port in November 2017, uses this advantage to provide the best service to it’s customers in the fastest way. In addition, Sönmez Cement aims to contribute to the country’s exports by opening the port facility to the 3rd parties as of February 2021.

Sönmez Cement, which produces 2 million tons of clinker and 2.16 million tons of cement annually, makes the majority of it’s sales as exports.
The expressions “we” or “Company” or “Sönmez Cement” in the Policy, The Center: Demirtas Dumlupınar Mahallesi Istanbul Sokak Sönmez ASF İplik Sitesi No:568 PK: 16110 Osmangazi / Bursa, Adana Branch: Adana Yumurtalık Free Zone Sarımazı SB Mahallesi 2. Bulvar 5. Cadde No. 5/01 PK: 01920 Ceyhan / Adana, Istanbul Branch: Ayazaga Mahallesi Azerbaycan Caddesi No:3-I Vadistanbul Bulvar 2A Blok Daire: 31 PK: 34396 / 11965 Sarıyer / Istanbul, 119332 at the Bursa Trade Registry operating at the address of Istanbul is related to the personal data processing activities carried out as a Data Controller by Sönmez Cement Construction and Mining Industry and Trade Ltd.

OUR PERSONAL DATA PROCESSING PRINCIPLES

All personal data processed by our company are processed in accordance with the POPD and related legislation. The basic principles and principles that we pay attention to when processing your personal data in accordance with Article 4 of the POPD are described below:

  1. Processing in accordance with the Law and Integrity Rule: Our company acts in accordance with the principles and general trust and honesty rule introduced by legal regulations in the processing of personal data. In this context, our Company takes into account the requirements of proportionality in the processing of personal data and does not use personal data except as required by the purpose.
  2. Ensuring That Personal Data Is Accurate and Up-to-Date When Needed: Our company; it ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of the owners of personal data and their own legitimate interests.
  3. Processing for Specific, Explicit and Legitimate Purposes: Our Company clearly and unequivocally determines the purpose of processing personal data, which is legitimate and lawful. Our company processes personal data in connection with and as much as necessary for the products and services it provides.
  4. Being Connected, Limited and Measured for The Purposes For which They Are Processed: Our Company processes personal data in a manner conducive to the realization of the specified purposes and avoids the processing of personal data that is not related to or needed for the realization of the purpose.
  5. Maintaining for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed: Our Company retains personal data only for as long as is specified in the relevant legislation or necessary for the purpose for which they are processed. In this context, our Company first determines whether a period of time is foreseen for the storage of personal data in the relevant legislation, acts in accordance with this period if a period is specified, and stores personal data for the period required for the purpose for which they are processed if a period has not been specified. Personal data is deleted, destroyed or anonymized by our Company if the reasons requiring the expiration or processing of the period disappear.

 

DATA OWNER CATEGORIES

 

Categories of data owners other than employees (including interns and sub-employer company employees) whose personal data are processed by our company are listed in the table below. A separate policy regarding the processing of the personal data of our employees has been established and implemented within the company. Persons who are outside the following categories will also be able to submit their requests to our Company within the scope of POPD; their claims will also be evaluated.

 

RELATED PERSON CATEGORY EXPLANATION
Customer Real or legal persons who purchase our products
Lead Natural or legal persons who have requested or made an interest in purchasing our products or who may have this interest are evaluated in accordance with the rules of practice and integrity
Visitor Real persons who have entered the physical facilities (offices, factories, etc.) owned by our company or where an organization is carried out for various purposes or who visit our websites
Third party Third-party natural persons (e.g. guarantors, companions, family members and relatives) associated with our Company to ensure the security of business transactions between the aforementioned parties or to protect the rights and interests of the persons mentioned, or all natural persons (e.g. former employees) with whom our Company is bound to process its personal data for a specific purpose, although it is not expressly specified under the Policy.
Employee Candidate / Trainee Candidate Natural persons who have applied for a job in any way or have opened their résumé and related information to the review of our Company
Employees, Shareholders, Officials of the Institutions We Cooperate with Real persons working in the institutions (business partners, suppliers, etc.) with which our Company has any business relations, including, including, but not limited to, the shareholders and officials of these institutions

 

WHEN DO WE COLLECT PERSONAL DATA ABOUT YOU?

 

We collect your personal data mainly in the following situations:

  1. When you purchase or use our products,
  2. When you sell goods or provide services to us,
  3. When you subscribe to our newsletters, when you choose to receive our marketing messages,
  4. When you contact us to submit complaints or feedback via means such as email or phone,
  5. When you apply for a job with our company,
  6. When you participate in our company events, seminars, conferences and organizations,
  7. When you contact us for any purpose as a potential customer/supplier/business partner/sub-employer.

We will only process the personal data we obtain in the above cases in accordance with this Policy.

WE PROCESS PERSONAL DATA ABOUT YOU?

The personal data we process about you varies according to the type of business relationship between us (e.g. customer, supplier, business partner, etc.) and the way you contact us (e.g. telephone, email, printed documents, etc.).

Basically, our personal data processing methods are situations where you participate in our business activities, surveys or interact with us in any other way, via phone or email. In this context, the personal data we process for you can be described under the following categories:

 

Data categories

 

Examples

Credentials Information contained in identity documents such as name, surname, date of birth
Contact information Email, phone number, address
Pictures and/or videos that can identify you Photo and video images and auditory data processed when you visit our Company for security reasons or when you participate in events organized by our Company
Financial data Bank account data, invoice information, financial transaction breakdown, advance information, credit card information, copies of the letter of guarantee, debt information
Any other information you decide to share voluntarily with Sönmez Cement Personal data you share on your own initiative, feedback, feedback, requests and complaints you provide to us, reviews, comments and assessments of them, uploaded files, interests, information provided for our detailed review process before establishing a business relationship with you
Electronic data collected automatically When you visit or use our website, subscribe to our newsletters, interact with us through other electronic channels, we may also collect electronic data sent to us by your computer, mobile phone or other access device in addition to the information you transmit directly to us (e.g. device hardware model, IP address, operating system version and settings, time and time using our digital channel, links you click, etc.)
Legal action and compliance information Determination of our legal receivables and rights, follow-up and performance of our debts and your personal data processed within the scope of compliance with our legal obligations and policies of our Company, audit and inspection data, personal data processed within the scope of the issuance of invoices for stores due to the execution of customer billing processes, power of attorney, signatures, signature circulars, case file surrogates, execution and salary foreclosures, alimony follow-ups
Enterprise Customer/Supplier data Information obtained about data subjects such as employees and signatories within the scope of the sales of our products as a result of the operations carried out by our business units
Event management and security information Information and assessments collected about events that may potentially affect our company’s employees, managers or shareholders, vehicle license plate and vehicle information, transportation and travel information, internet access Log log records, IP address tracking, user account information, location-location (gps) information, login and exit records
Personal data collected from other sources To the extent permitted by applicable laws and regulations, we may also collect your personal data through public databases, methods and platforms where our business partners we work with collect personal data on our behalf. For example, before establishing a business relationship with you, we may conduct research on you from public sources to ensure the technical, administrative and legal security of our business activities and transactions. In addition, there may be the transmission of certain personal data belonging to third parties by you (e.g. personal data of guarantors, companions, family members, etc.). In order to manage our technical and administrative risks, we may process your personal data through methods used in accordance with the generally accepted legal, commercial procedures and honesty rules in these areas. Camera recordings, audit and inspection records, information obtained within the scope of traffic, pension and health insurance.

 

PROCESSING PERSONAL DATA OF WORKING CANDIDATES

To understand the experience and qualifications of the candidate as well as the above categories of personal data, to evaluate the suitability of the candidate for the open position, to check the accuracy of the information transmitted if necessary, and to conduct research about the candidate by contacting the third parties to whom the candidate provides the contact information, to contact the candidate regarding the job application process, to recruit in accordance with the open position, In order to comply with the legal regulations and to implement the recruitment rules and human resources policies of our Company, we collect the personal data of the school where graduated, previous work experience, disability status, etc.

Personal data of employee candidates, job application form in written and electronic media, Our Company’s electronic job application platform, applications submitted to our Company physically or by e-mail, employment and consultancy companies, interviews conducted face-to-face or electronically, checks carried out by our Company about the candidate working, recruitment tests carried out by human resources specialists to evaluate the suitability of the candidate in the recruitment process is processed.

Employee candidates are illuminated in detail in accordance with the POPD with a separate document before submitting their personal data when applying for a job and their explicit consent is obtained for the necessary personal data processing activities.

PROCESSING PERSONAL DATA OF OUR VISITORS IN OUR OFFICES

Our company processes personal data for the purposes of ensuring the physical safety of our Company, employees and visitors and auditing workplace rules during the entry and exit procedures of visitors to its building and factory. In this context, the name and surname and HES Code, TC id and license plate numbers of our visitors are confirmed with their IDs and registered in the visitor system for the purpose of tracking the visitor in and out. However, the identity of the visitor is not kept during the period of time he/she is in the company, and after the registration mentioned in the visitor system is made, the id is returned to the visitor.

The visitor is illuminated about the processing of their personal data with an illuminated text in the security entrance before their information is received. However, in this context, the visitor’s explicit consent is not obtained in accordance with POPD m. 5/2/f because our company has a legitimate interest. This data is only kept in the visitor registration system and is not transferred to any other medium unless there is a suspicious situation that threatens the company’s security. However, this information can be used in cases such as preventing crime and ensuring the safety of the Company.

In addition, for the purposes specified in the Policy and to ensure the security of our Company; Internet access can be provided to our visitors who request it during your stay in our company offices. In this case, log records regarding your internet access are recorded in accordance with the Law No. 5651 and the orderly provisions of the legislation regulated in accordance with this law; these records are processed only for the purpose of requesting them by authorized public institutions and organizations or to fulfill our relevant legal obligation in the audit processes to be carried out within the Company.

Only a limited number of Sönmez Cement employees can access the log records obtained within this framework. Company employees who have access to the aforementioned records access these records only for use in the request or audit processes from authorized public institutions and organizations and share them with legally authorized persons.

PROCESSING PERSONAL DATA VIA CLOSED CIRCUIT CAMERA RECORDING

Security cameras are used to ensure the security of our company and facility and personal data is processed in this way. Within the scope of security camera monitoring activity, our company; to improve the quality of the service provided, to ensure the safety of the life and property of the company’s physical campuses and persons within the company, to prevent abuses and to protect the legitimate interests of the data owners.

Personal data processing activities carried out by our company with security cameras are carried out in accordance with the Constitution, KVKK, The Law no. 5188 on Private Security Services and related legislation.

In accordance with KVKK m. 4, our Company processes personal data in a limited and measured manner, linked to the purpose for which they are processed. The person’s privacy is not monitored in a way that exceeds their security purposes as a result of interference. In this context, warning signs are placed in the common areas where CCTV is recorded and the data owners are informed. However, due to the fact that our Company has a legitimate interest in keeping CCTV recordings, their explicit consent is not obtained. In addition, in accordance with KVKK m. 12, necessary technical and administrative measures are taken to ensure the security of the personal data obtained as a result of THE SURVEILLANCE activity.

In addition, a procedure has been prepared regarding the areas with CCTV cameras, the viewing areas of the cameras, the retention times of the recordings and the application has been taken in our Company. This procedure is taken into account before the CCTV camera is placed and the camera is then placed. Cameras are not allowed to be installed to a degree that exceeds the security purpose and exceeds the privacy of individuals. Only a certain number of Company personnel access CCTV camera footage and these powers are regularly reviewed. Personnel with access to these records sign a commitment to protect personal data in accordance with the law.

A total of 60 security cameras in the service area such as entrance doors, open work sites, building and facility exterior, automation, system rooms, archives within our company offices, factory and port are recorded and the recording process is supervised by the Security unit in order to ensure building security.

WE USE YOUR PERSONAL DATA FOR CERTAIN PURPOSES?

The purposes for which we use your personal data vary depending on the type of business relationship between us (e.g. customer, supplier, business partner, etc.). Basically, our purposes for processing your personal data are as follows. Personal data processing activities related to Employee Candidates are explained under the “Processing of Personal Data of Employee Candidates” section above.

 

 

Our Personal Data Processing Purposes

 

Examples

Assess potential suppliers/partners Conducting our review and conflict of interest process in accordance with our risk rules
Customer establishment and management of relations, execution and conclusion of the contract process with our Suppliers/business partners Carrying out sales transactions of our Company’s products, submitting proposals for our products, supplying goods, billing (including e-invoice and credit invoice processes), establishing and performing contracts, ensuring post-contract legal transaction security, improving our services, evaluating new technologies and applications, determining and implementing our Company’s commercial and business strategies, managing operations (demand, proposal, evaluation, order, budgeting, contract), provision of product transportation organizations, execution of financial operations and making agreements with our suppliers and customers within this scope, managing financial affairs, providing alternatives to legal/natural persons with whom it has a commercial relationship, carrying out documentation studies within the framework of quality standards, making raw material specifications, concluding samples and analyses, carrying out device maintenance and repairs, preparation of the rights forms of suppliers, sharing the relevant documents with the customer after sales, sending documents with domestic and international cargo companies, making hotel and transportation reservations of incoming customers, carrying out technical material control, shipping and return process, creating records in the system for suppliers, making product analyses and following their specifications, monitoring and storing annual maintenance agreements, customer or supplier visits carrying out tender processes with suppliers, obtaining the necessary legal permissions for investments, preparing the entitlement form for suppliers, sending export documents, creating and ordering current cards, filing documents received from the inspection firm, captain and Customs Directorate, accepting contractors to field operations, ensuring product shipment, carrying out the guarantee letter processes, technically of suppliers evaluation and ensuring the selection of appropriate equipment, establishing or approving seller/supplier registration, creating safe reports, carrying out customs processes
Execution of direct marketing processes To make marketing notifications regarding our services by e-mail and phone, to conduct satisfaction surveys or to evaluate the opinions, complaints and comments you make through social media, online platforms or other media, to return, to inform our customers about company innovations, to carry out marketing activities with participants in the events to be held,
Communication and support (upon request) Responding to requests for information about our services, providing support for requests received through our communication channels, keeping records and updating our database (in connection with the process of creating new customers and new dealer cards), contacting customers and suppliers at the fairs we participate in, receiving and issuing mutual business cards, finding solutions based on the complaint reports of our sales or quality control units, and finding solutions in response to the complaint reports of our sales or quality control units. reporting of actions
Compliance with legal obligations Execution of tax and insurance processes, Law No. 5651 and other legislation, Law no. 6563 on the Regulation of Electronic Commerce and other legislation, Turkish Penal Code No. 5237 and Personal Data Protection Law No. 6698, fulfillment of our legal obligations arising from the relevant legislation, execution of processes before official institutions, record keeping and information obligations, compliance and audit, audits and inspections of official authorities, monitoring and concluding our legal rights and cases, carrying out the necessary processes within the scope of compliance with the laws and regulations we are subject to, such as data disclosure at the request of the official authorities, and ensuring the fulfillment of the legal obligations specified in the KVKK as required or required by the regulatory regulations with the regulatory and supervisory institutions. to be carried out, to obtain the permissions to be obtained for investment, to make measurements related to physical, chemical and biological factors within the scope of occupational health and safety legislation, to carry out field operations of contractors, to share customer information with GSM operators in accordance with the BTK board decision.
Ensuring the protection and security of company interests Carrying out audit activities necessary for the protection of company interests and interests, carrying out conflict of interest checks, ensuring the legal and commercial security of persons who have business relations with our Company, keeping CCTV records for the protection of company devices and assets, taking technical and administrative security measures, carrying out the necessary work for the development of the services we provide, implementing and auditing workplace rules, social responsibility planning and execution of activities, maintaining the commercial reputation and trust of Sönmez Holding, Kutlucan Holding and Türkn Holding group companies, reporting all incidents, accidents, complaints, lost stolen etc. situations occurring within the building, taking necessary intervention and taking precautions, transferring the rules to be followed for dangerous situations that may occur during maintenance and repair, and measuring the professional competencies of subcontractors, to ensure the order of the entrances and exits of the employees of the company and to obtain the necessary information in terms of safety, to carry out our necessary quality and standard audits or to fulfill our reporting and other obligations determined by laws and regulations.
Planning and execution of the company’s commercial activities In order to determine, plan and implement the Company’s commercial policies in the short, medium and long term, and to determine and implement commercial and business strategies; Communication, market research and social responsibility activities carried out by our company, execution of procurement processes, creation of contingency plans
Reporting and auditing Ensuring communication with Sönmez Holding, Kutlucan Holding and Türkn Holding group companies established in Türkiye, carrying out the necessary activities, internal audit and reporting processes
Protection of rights and interests Execution of defenses against legal claims against our company, mediation, legal and public litigation provisions such as lawsuits, investigations, etc.

HOW DO WE USE YOUR PERSONAL DATA FOR MARKETING PURPOSES?

Since marketing activities are not evaluated within the scope of the exceptions in KVKK m. 5/2, we always receive your consent as a rule to process your personal data within the scope of marketing activities. They can send promotional communications about our company, products, services, events and promotions at regular intervals. Such promotional communications may be sent to you through different channels such as email, phone, SMS text messages, mail and third party social networks.

To provide you with the best personalized experience, sometimes these communications can be tailored to your preferences (for example, as you specify them to us, based on the results we draw from your website visits, or based on the links you click on in our emails).

Processing for the purpose of providing opportunities for your specific products and services such as internet advertising, Targeting, Re-targeting, cross-selling, campaign, opportunity and product/service advertising, using Cookies for this purpose, making commercial offers taking into account your preferences and recent purchases, tracking your usage habits according to your previous records and providing you with special products; processing for the purpose of providing you with special advertising, campaigns, benefits and other benefits for sales and marketing activities and for the purpose of carrying out other marketing and CRM studies, processing for the purpose of creating new product and service models, sending electronic commercial messages (such as newsletter, customer satisfaction surveys, product advertisements); gift and promotional submission; we are able to carry out marketing activities in order to organize and inform about corporate communication and other events and invitations within this scope.

When required by applicable legislation, we will ask for your consent before starting the above activities. You will also be given the ability to undo (stop) your consent at any time. In particular, you can always stop marketing notifications from being sent to you by following the unsubscribe instruction in each email and SMS message.

WE PROCESS YOUR PERSONAL DATA FOR LEGAL REASONS?

Your personal data, especially the Turkish Commercial Code no. 6102, the Turkish Debts Law No. 6098, the Tax Procedure Law No. 213, the electronic commerce legislation, the KVKK m. We operate within the framework of the following legal reasons, which are held at 5:

Legal Reason Examples
We process your consent in accordance with your consent where we need to obtain your explicit consent in accordance with the KVKK and other legislation (in this case, we would like to remind you that you can withdraw your consent at any time) We obtain your consent to carry out our marketing activities.
In any case permitted by applicable legislation Inclusion of the name of the person concerned on the invoice within the scope of Tax Procedure Law m. 230
When there is an obligation to protect the vital interests of any person Giving the health information of the board member who fainted on the board to the doctor
Where we are required to establish a contract with you, perform the contract and fulfill our obligations under a contract Receipt of the customer’s bank account information within the scope of the contractual relationship with the customer
Fulfilling our legal obligations, Fulfillment of our tax obligations, submission of court-ordered information to the court
If your personal data is made by you Sending us an e-mail to contact us to contact you, using the personal data you make public through means such as social media channels for the purpose of publicization
It is mandatory for us to process data for the establishment or protection of a right, to exercise our legal rights and to defend against legal claims against us Storage and use of documents that are evidence/evidence
Where required by our legitimate interests, provided that they do not harm your fundamental rights and freedoms To ensure the security of our company communication networks and information, to carry out our Company activities, to conduct research in order to detect suspicious transactions and to comply with our risk rules, to use storage, hosting, maintenance, support services in order to provide IT services in terms of technical and security, to ensure the efficiency of our Company activities and to use cloud technology to take advantage of the possibilities of technology

 

In cases where your Personal Data is processed with explicit consent, we would like to emphasize that if you withdraw your express consent, you will be excluded from the commercial membership program where such explicit consensual processing is required and you will not be able to benefit from the benefits you enjoy through such processings as of the relevant date.

WHEN DO WE SHARE YOUR PERSONAL DATA?

Our company is responsible for acting in accordance with the decisions and related regulations stipulated in the KVKK, especially KVKK m. 8, regarding the transfer of personal data. As a rule, personal data and special quality data belonging to data subjects cannot be transferred by our Company to other natural persons or legal entities without the express consent of the person concerned.

Transfer of Personal Data at Home

In accordance with Article 8 of the POPD, it is possible to transfer your Personal Data without the consent of the relevant person in the cases stipulated in Articles 5 and 6 of the POPD.

In case of provision of the conditions stipulated in Articles 5 and 6 of the Sönmez Cement POPD, their personal data will be provided in accordance with the conditions stipulated in the relevant other legislation and by taking the security measures specified in the legislation; Unless otherwise regulated by law or other relevant legislation, it is transferred to third parties in Türkiye and companies under the roof of Sönmez Cement. You can examine these reasons under the heading “WE PROCESS YOUR PERSONAL DATA FOR CERTAIN LEGAL REASONS?“.

Sharing Your Personal Data Abroad:

Our Company may transfer personal data to third parties in Türkiye or abroad by processing in Türkiye or for processing and storage outside Türkiye, in accordance with the conditions stipulated in the Law and other relevant legislation, including outsourcing. In order to carry out our company activities in the most efficient way and to benefit from the possibilities of technology, your personal data can be transferred abroad by taking the necessary technical and administrative measures through cloud information technology.

As a rule in accordance with POPD m. 9, we seek the explicit consent of the data owners for the transfer of personal data abroad. However, in accordance with POPD m. 9, the existence of one of the conditions issued in POPD m. 5/2 or m. 6/3 and in the foreign country to which personal data will be transferred

a) Having adequate protection,
b) In the absence of adequate protection, data controllers in Türkiye and the relevant foreign country must undertake an adequate protection in writing and have the permission of the Board transfer abroad without the explicit consent of the data owner.

Accordingly, in exceptional cases where explicit consent for the transfer of the above-mentioned personal data is not sought, in addition to the conditions of non-consensual processing and transfer, it is required to have sufficient protection in the country where the data will be transferred in accordance with the POPD. The Personal Data Protection Board will determine whether adequate protection is provided; in the absence of adequate protection, data controllers both in Türkiye and the relevant foreign country must undertake adequate protection in writing and have the permission of the Personal Data Protection Board.

Parties Shared at Home and Abroad

  1. We do not share your Personal Data except in special circumstances described here. Access to your Personal Data within Sönmez Cement will be limited to those who need to know the information for the purposes defined in this Policy. In order to realize the purposes for which your data is collected (see the “For what purposes do we use your personal data?” section above for detailed information about these purposes), we transfer your Personal Data to the following persons and institutions:
    Sönmez Holding, Kutlucan Holding and Türkün Holding group companies: Due to our activities under Sönmez Holding, Kutlucan Holding and Türkn Holding, your personal data is shared with and made available to Sönmez Holding, Kutlucan Holding and Türkn Holding group companies established in Türkiye and abroad. This sharing is done only with employees authorized to realize the relevant sharing purpose, but in general, we would like to point out that the data sharing we do with Sönmez Holding, Kutlucan Holding and Türkn Holding is carried out in a way that does not contain personal data within the scope of financial reporting related to company activities such as company profitability and efficiency. In some special cases, we may share personal data (such as responding to complaints from customers) instead of sharing anonymous information with Sönmez Holding, Kutlucan Holding and Türkn Holding group companies. Binding Company Rules regarding the transfer of your personal data between Sönmez Holding, Kutlucan Holding and Türkn Holding group companies have been signed and necessary measures have been implemented.
  2. Service Providers: When carrying out the commercial activities of our Company, it defines the parties in which our Company has established a partnership for the purposes of selling, promoting and marketing its products. Like many businesses, we may work with trusted third parties such as information and communication technology providers, consulting services providers, carriers, travel agencies, and share data to carry out our activities in order to carry out functions and services in the most efficient way and in accordance with current technologies within the scope of some data processing activities. This sharing is limited to ensure that the purposes of establishing and performing the partnership are fulfilled. We use cloud information technologies to carry out the activities of our company in the most efficient way and to make the most of the possibilities of technology, and in this context, we are able to process your personal data at home and abroad through companies that provide cloud computing services. The marketing services support company we share can be established abroad and in this context, data sharing with abroad can be carried out in accordance with the provisions regarding data sharing abroad in accordance with POPD m. 8 and m. 9.
  3. Public Institutions and Organizations: Where required by law or when we need to protect our rights, we may share your personal data with the relevant official, judicial and administrative authorities (e.g. Tax authorities, notaries, law enforcement, gendarmerie, police directorates, courts and enforcement offices, customs consultancy, Environment and Urbanization, Customs Directorates, Ministry of Transport, Ministry of Commerce, port authority).
  4. Private Legal Persons: In accordance with the provisions of the relevant legislation, personal data sharing can be carried out in a limited way for the purpose requested by the private legal persons authorized to receive information and documents from our Company within the legal authority (e.g. Occupational Health and Safety Company).
  5. Professional consultants and others: In order to maintain the business activities of Sönmez Cement, support for the execution of the activities of Sönmez Cement, such as the execution of tender processes, the execution of mediation and arbitration processes and the execution of our relations with our suppliers, the promotion of our projects, including professional consultants such as the following
  6. Other parties linked to corporate transactions: In addition, from time to time, you may use your personal data within the scope of corporate transactions, e.g. during the execution of contracts for the conduct of the company’s business and activities, the conduct of established contractual and commercial relations, ensuring the efficiency and security of our company processes, during the sale of a company to fulfill the commitments made, or during the sale of a certain part of a company to another company, or during the sale of any name, assets or shares belonging to Sönmez Cement. we share with other parties that are linked to corporate transactions such as our customers, subcontractors, suppliers, business partners, and companies where we receive services and consultancy at home and abroad in case of reorganization/restructuring, merger, joint venture or otherwise subject to sale or disposal (including those linked to bankruptcy or similar transactions).

HOW LONG DO WE STORE YOUR PERSONAL DATA?

We only store your personal data for as long as necessary to fulfill the purpose for which they were collected. We set these periods separately for each business process and destroy your personal data in accordance with the POPD if there is no other reason for us to store your personal data at the end of the relevant periods.

When determining the periods of destruction of your personal data, we take into account the following criteria:

  • Within the scope of the purpose of processing the relevant data category, the period accepted in accordance with the general procedure in the sector in which the data controller operates,
  • The period during which the legal relationship established with the relevant person will continue, which requires the processing of personal data in the relevant data category,
  • The period during which the legitimate interest obtained by the data controller will be valid in accordance with the law and honesty rules, depending on the purpose for which the relevant data category is processed,
  • The period during which the risks, costs and responsibilities of storing the relevant data category depending on the purpose of processing will continue legally,
  • Whether the maximum time to be determined is conducive to keeping the relevant data category accurate and up-to-date when necessary,
  • The period during which the data controller is obliged to store the personal data in the relevant data category in accordance with its legal obligation,
  • The statute of limitations set by the data controller for assertion of a right tied to personal data in the relevant data category.

HOW DO WE DESTROY YOUR PERSONAL DATA?

Although personal data have been processed in accordance with the provisions of the relevant law in accordance with article 138 of the Turkish Penal Code and Article 7 of the POPD, if the reasons requiring its processing disappear, it will be deleted, destroyed or anonymized in accordance with the decision of our company or if the personal data owner has such a request.

In this context, the Personal Data Retention and Destruction Policy has been prepared. Our Company reserves the right not to fulfill the data subject’s request in cases where it has the right and/or obligation to protect personal data in accordance with the provisions of the relevant legislation. When personal data is processed in non-automated ways as part of any data recording system, the system of physical destruction of personal data is applied in such a way that it cannot be used later when the data is deleted/destroyed. When our Company agrees with a person or entity to process personal data on its behalf, personal data is safely deleted by that person or entity in a way that can never be recovered again. Our company can anonymize personal data when the reasons requiring the processing of personal data processed in accordance with the law are eliminated.

METHODS OF DESTRUCTION OF PERSONAL DATA

Deletion of Personal Data

Although our company has been processed in accordance with the provisions of the relevant law, it may delete personal data at the request of the personal data owner or in accordance with its own decision in case the reasons requiring its processing disappear. The deletion of personal data is the process of making personal data inaccessible and unusable in any way for the users concerned. All necessary technical and administrative measures are taken by our company to ensure that the deleted personal data is inaccessible and reusable for the relevant users.

Process of Deleting Personal Data
The process to be followed in the process of deleting personal data is as follows:
Determination of personal data that will be the subject of deletion.

  • Identification of relevant users for each personal data using an access authorization and control matrix or similar system.
  • Determination of the powers and methods of the relevant users such as access, restore, reuse.
  • Closing and eliminating the access, retrievation, reuse powers and methods of the relevant users within the scope of personal data.

Methods of Deletion of Personal Data

Data Recording Environment Explanation
On Servers

Personal Data

For those who have expired requiring the storage of personal data on the servers, the system administrator removes the access authority of the relevant users and deletes them.
ElectronicAlly Located

Field Personal Data

Those who have expired requiring their storage from personal data contained electronically are rendered inaccessible and unusable in any way for other employees (related users) except the database administrator.
Personal Data in a Physical Environment For those who have expired requiring the storage of personal data held in a physical environment, it is made inaccessible and unusable in any way for other employees except the unit manager responsible for the document archive. In addition, dimming is applied by scratching/painting/deleting it so that it cannot be read.
In Portable Media

Personal Data Found

Those that require storage from personal data held in Flash-based storage environments are stored in secure environments with encryption keys by being encrypted by the system administrator and given access only to the
system administrator.

Destruction of Personal Data

Although our company has been processed in accordance with the provisions of the relevant law, it may destroy personal data at its own discretion or at the request of the personal data owner if the reasons requiring its processing disappear. The destruction of personal data is the process of making personal data inaccessible, irrevocable and unusable by anyone in any way. The data controller is obliged to take all necessary technical and administrative measures related to the destruction of personal data.

Data Recording Environment Explanation
Personal Data in a Physical Environment Those that require storage from personal data contained in the paper environment are destroyed irreversibly on paper clipping machines.
Personal Data in Optical / Magnetic Media Physical destruction of expired ones, such as melting, burning or dusting, is applied, requiring storage from personal data contained in optical media and magnetic media.

Physical Destruction: Personal data can also be processed in non-automated ways as part of any data recording system. When deleting/destroying such data, a system of physical destruction of personal data is applied in such a way that it cannot be used later.

Safe Deletion from Software: When deleting/destroying data processed in completely or partially automated ways and stored in digital media; methods for deleting data from the relevant software are used so that it cannot be recovered again.
Safe Deletion by Expert: In some cases, he or she may agree with an expert to delete personal data on his behalf. In this case, personal data is safely deleted/destroyed by the person who specializes in this matter in such a way that it can never be recovered again.

Blackout: It is the physical unreadability of personal data.
Methods of Destruction of Personal Data In order to destroy personal data, it is necessary to identify all copies of the data and to destroy them individually by using one or more of the following methods according to the type of systems in which the data is located:

Local Systems: One or more of the following methods can be used to destroy data on those systems. i)

De-magnetizing: It is the process of unreadable distortion of the data on which magnetic media is passed through a special device and exposed to a very high magnetic field. ii) Physical Destruction: It is the process of physical destruction of optical media and magnetic media, such as melting, burning or dusting. Processing such as melting, burning, dusting or passing optical or magnetic media through a metal grinder ensures that the data is rendered inaccessible. If overwriting or de-magnetizing solid-state disks is not successful, this media must also be physically destroyed. iii) Overwriting: It is the process of preventing the recovery of old data by typing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media. This is done using special software.

Environmental Systems: The following are the methods of destruction that can be used depending on the environment type: i) Network devices (switch, router, etc.): The storage media inside these devices is fixed. Products often have a delete command, but no destruction. (a) One or more of the appropriate methods specified in (a) must be destroyed by use. ii) Flash-based environments: Flash-based hard drives must be destroyed by using the ATA (SATA, PATA, etc.), SCSI (SCSI Express, etc.) interface, using the <block erase> command if supported, using the manufacturer’s recommended eradication method if not supported, or using one or more of the appropriate methods specified in (a) Magnetic tape: Environments that store data with the help of micro-magnet parts on flexible tape. It must be destroyed by exposing it to very strong magnetic environments and de-magnetizing it, or by physical destruction methods such as burning and melting. iv) Units such as magnetic discs: Environments that store data with the help of micro magnet parts on flexible (plate) or stationary media. It must be destroyed by exposing it to very strong magnetic environments and de-magnetizing it, or by physical destruction methods such as burning and melting. v) Mobile phones (Sim card and fixed memory areas): There are deletion commands in fixed memory areas on portable smartphones, but most do not have an destruction command. (a) One or more of the appropriate methods specified in (a) must be destroyed by use. vi) Optical discs: Data storage media such as CDs and DVDs. It must be destroyed by physical extrusion methods such as burning, small fragmentation, melting. vii) Peripherals such as printer, fingerprint door switching system, which can be extracted from the data recording media: All data recording media must be verified and destroyed by using one or more of the appropriate methods specified in (a) according to its property. viii) Peripherals such as printer with fixed data recording media, fingerprint door switching system: Most of these systems have a delete command, but not an destruction command. (a) One or more of the appropriate methods specified in (a) must be destroyed by use.

Paper and Microfichip Environments: Since the personal data in these environments is permanently and physically written on the environment, the main environment must be destroyed. When performing this process, it is necessary to divide the media into small pieces of paper disposal or clipping machines in an incomprehensible size, horizontally and vertically, if possible, so that they cannot be reassembled. Personal data transferred from the original paper format to electronic media via scanning must be destroyed by using one or more of the appropriate methods specified in (a) according to the electronic environment in which they are located.

Cloud Environment: During the storage and use of personal data contained in these systems, encryption keys must be used separately for each cloud solution that is serviced, especially where possible for personal data and encrypted by cryptographic methods. When the cloud computing service relationship ends; all copies of the encryption keys required to make personal data available must be destroyed. In addition to the above environments, the destruction of personal data on devices that fail or are sent for maintenance is carried out as follows: i) Destruction of the personal data contained in the relevant devices before being transferred to third institutions such as manufacturers, vendors, services for maintenance, repair, and so on, using one or more of the appropriate methods specified in (a) ii) Where it is not possible or appropriate to destroy, dismantling and storing the data storage environment, sending other defective parts to third institutions such as manufacturer, vendor service, iii) Necessary measures should be taken to prevent the personnel who come for external maintenance and repair purposes from copying personal data and taking it out of the institution.

 

Anonymization of Personal Data

Anonymization of personal data means that personal data cannot be associated with a specific or idenciable real person in any way, even by matching it to other data. Our company can anonymize personal data when the reasons requiring the processing of personal data processed in accordance with the law are eliminated. For anonymization of personal data; personal data must be made irresistible to a specific or imdeterminable real person, even through the use of appropriate techniques for the recording environment and related field of activity, such as the return of data by the data controller or groups of recipients and/or the mapping of data with other data. Our company takes all necessary technical and administrative measures to anonymize personal data.

In accordance with Article 28 of the POPD Law; anonymized personal data can be processed for purposes such as research, planning and statistics. Such transactions are not covered by the POPD Law and the explicit consent of the personal data owner will not be sought.

Methods of Anonymizing Personal Data

Anonymization of personal data means that personal data cannot be associated with a specific or idenciable real person in any way, even if it is matched with other data.

For anonymization of personal data; personal data must be made irresistible to a specific or imdeterminable real person, even through the use of appropriate techniques for the recording environment and related field of activity, such as the return of data by the data controller or third parties and/or the matching of data with other data.

Anonymization is when all direct and/or indirect identifiers in a dataset are removed or altered, preventing the person from being identified or losing the ability to be distinguishable in a group or crowd in a way that cannot be associated with a real person. Data that does not point to a particular person as a result of blocking or losing these features is considered anonymized data. In other words, while anonymized data is information that identifies a real person before this process is performed, it has become unrelated to the contact after this process and has been disconnected from the person. The purpose of anonymization is to sever the link between the data and the person that this data identifies. All bond breakouts that are carried out by automated or non-automated grouping, masking, derivation, generalization, randomization, and so on applied to records in the data recording system where personal data is kept are called methods of anonymization. The data obtained as a result of the application of these methods should not be able to identify a particular person.

The following illustrative methods of anonymization that can be sampled are described:

Anonymization Methods That Do Not Provide Value Irregularity: Methods that do not provide value irregularities do not apply a change or addition to the values that the data in the cluster has, or subtitle, and instead changes are made to all of the rows or columns in the set. Thus, while the data is changed, the values in the fields retain their original state.

Removing Variables
An anonymization method provided by removing one or more of the variables from the table in its entirety. In such a case, the entire column in the table will be completely removed. This method can be used for reasons such as that the variable is a high-grade identifier, that a more appropriate solution does not exist, that the variable is too sensitive data to be disclosed to the public, or that it does not serve analytical purposes.

Extracting Records
In this method, anonymity is strengthened by removing a line containing singularity in the dataset and the probability of producing assumptions about the dataset is reduced. Typically, extracted records are records that do not have a common value with other records and can easily be guessed by people who have an idea of the dataset. For example, in a dataset with survey results, only one person from any industry is included in the survey. In such a case, it is preferable to extract only the record of this person rather than extracting the “sector” variable from all the survey results.

Regional Hide: In the regional cloaking method, the goal is to make the dataset more secure and reduce the risk of predictability. If the combination of values of a particular record creates a very little visible situation and this can most likely cause that person to become distinguishable in the relevant community, the value that creates the exceptional state is changed to “unknown”.

Globalization: The process of converting related personal data from a custom value to a more general value. It is the most used method when producing cumulative reports and operations carried out on total figures. The resulting new values show total values or statistics for a group that makes it impossible to access a real person. For example, a person with a TC ID No. 12345678901 buy diapers from the e-commerce platform and also buy wet wipes. In the anonymization process, it can be concluded that 10% of people who buy diapers from the e-commerce platform also buy wet wipes using the generalization method.

Lower and Upper Bound Encoding: The upper and lower neural coding method is obtained by defining a category for a particular variable and combining the values remaining within the grouping created by this category. Typically, the low or high values of a particular variable are combined and progressed by making a new definition of these values.

Global Coding: The global encoding method is a grouping method used in datasets that cannot be applied to lower and upper bound encoding, do not contain numeric values, or have values that cannot be sorted numerically. It is usually used when certain values are clustered and make it easier to execute predictions and assumptions. All records in the dataset are replaced by this new definition by creating a common and new group for the selected values.

Sampling: The sampling method describes or shares a subset from the set instead of the entire dataset. This lowers the risk of generating accurate estimates of individuals because it is not known whether a person known to be part of the entire dataset is in the described or shared sample subset. Simple statistical methods are used to determine the subset to sample. For example, if you want to use If the demographic information of women living in Istanbul is disclosed or shared by anonymizing a dataset on their occupation and health status, it may make sense to scan and estimate the relevant dataset of a woman known to live in Istanbul. However, only the records of the women who are registered in the relevant dataset are left and anonymization is applied by removing the population record from the dataset of those in other provinces, and if the data is disclosed or shared, a reliable estimate of whether the information of the person he knows is included in the data since the malicious person who accessed the data cannot guess whether the population record of a woman he knows lives in Istanbul is in Istanbul. will not be able to execute.

Anonymization Methods That Provide Value Irregularity: Unlike the methods mentioned above with methods that provide value irregularities; existing values are changed to create distortion of the values of the dataset. In this case, since the values carried by the records are changing, the planned benefit from the dataset must be calculated correctly. Even if the values in the dataset are changing, the data can still be benefited by ensuring that the total statistics are not corrupted.

Microassembly
With this method, all records in the dataset are sorted first in a meaningful order, and then the entire set is divided into a certain number of subsets. The value of that variable of the subset is then replaced with the average value of each subset for the specified variable. Thus, the average value of that variable that applies to the entire dataset will not change.

Data Exchange
The data exchange method is record changes that are obtained by exchanging values for a variable subset between the selected pairs within records. This method is mainly used for categorized variables, and the main idea is to transform the database by changing the values of the variables between individual records.

Adding Noise
With this method, additions and subtractions are made to ensure the specified extent of distortions in a selected variable. This method is mostly applied to datasets that contain numeric values. Distortion is applied equally in each value.

Statistical Methods to Strengthen Anonymization

As a result of combining some values in records with individual scenarios in anonymized datasets, the possibility of identifying the people in the records or deriding assumptions about their personal data may arise.
For this reason, anonymity can be strengthened by minimizing the singularity of records within the dataset by using various statistical methods in anonymized datasets. The main purpose of these methods is to minimize the risk of anonymity corruption and to keep the benefits of the dataset at a certain level.

K-Anonymity
In anonymized datasets, the fact that the people in the records can be identified if indirect identifiers are combined with the right combinations, or that information about a particular person becomes easily predictable, has undermined confidence in the process of anonymization. Accordingly, datasets anonymized by various statistical methods should be made more reliable. K-anonymity has been developed to prevent the disclosure of people-specific information that demonstrates singular characteristics in certain combinations by identifying multiple people with specific fields in a dataset. if there are multiple records of combinations created by combining some of the variables in a dataset, the likelihood of identifying the people who come across this combination is reduced

L-Variety
The L-diversity method, which is formed by studies carried out on the shortcomings of K-anonymity, takes into account the diversity of sensitive variables that coincide with the same variable combinations.

T-Proximity
Although the L-diversity method provides diversity in personal data, there are cases where the method does not provide adequate protection because it does not deal with the content and sensitivity of the personal data. As such, the process of calculating the degree of proximity of personal data, values within themselves and anonymizing the dataset by subclassing according to these degree of proximity is called T-proximity method.

 

Selecting anonymization method

Our company decides which of the above methods to apply by looking at the data they have and taking into account the following characteristics regarding the dataset owned;
The nature of the data,
The size of the data,
The structure of data in physical environments,
Variety of data,
The purpose of the benefit / processing to be obtained from the data,
The frequency at which data is processed,
Reliability of the party to which the data will be transferred,
The effort to anonymize the data is meaningful,
The magnitude of the damage that may occur if the anonymity of the data is impaired, the domain,
The distribution/centrality ratio of the data,
Users’ access to relevant data is subject to authority control and
The possibility that his efforts to create and implement an attack that would impair anonymity would make sense.

While anonymizing a data, our Company controls whether the data in question is redefined by the use of known or publicly available information within other institutions and organizations to which it transmits personal data, with the contracts and risk analyses it will make.

Anonymity Assurance

When deciding to anonymize a personal data instead of deleting or destroying it, our company considers the points that anonymized dataset cannot be corrupted by combining it with a thousand other datasets, that a thousand or more values are not created meaningfully in such a way that it makes a record singular, and that the values in the anonymized dataset do not combine and produce a hypothesis or conclusion. As the properties listed in this article change on the datasets that our company anonymizes, checks are made and anonymity is ensured to be maintained.

Risks of Corruption of Anonymization by Reversal of Anonymized Data

Since anonymization is the process of destroying the distinctive and defining properties of the dataset applied to personal data, there is a risk that these processes will be reversed with various interventions and anonymized data will become re-identifying and real-person distinctive. This is expressed as the deterioration of anonymity. Anonymization can only be achieved through manual or automated processes, or hybrid processes consisting of a combination of both types of processes. However, the important thing is that measures have been taken to prevent the corruption of anonymity by new users who have access to or own the data after sharing or disclosing the anonymized data. Consciously executed transactions regarding the deterioration of anonymity are called “attacks on the deterioration of anonymity”. In this context, the process is established accordingly by investigating whether there is a risk that the anonymized personal data will be reversed by various interventions and that the anonymized data will become immaculate and distinctive to the real persons.

HOW DO WE PROTECT YOUR PERSONAL DATA?

In order to protect your personal data and prevent unlawful access, the necessary administrative and technical measures are taken by our Company in accordance with the Personal Data Security Guide published by the POPD Institution, procedures are regulated within the Company, lighting and explicit consent texts are prepared, and necessary audits are carried out or carried out through external service acquisition to ensure the implementation of the provisions of the POPD in accordance with POPD m. 12/3. The results of this audit are evaluated within the scope of the internal functioning of the Company and necessary activities are carried out to improve the measures taken.

Your above-mentioned personal data can be transferred to the physical archives and information systems of our Company and/or suppliers and kept in both digital and physical environment. The technical and administrative measures taken and taken to ensure the security of personal data are described in detail under two headings below.

Technical Measures

We use generally accepted standard technologies and business safety methods, including standard technology called Secure Socket Layer (SSL), to protect collected personal information. However, due to the feature of the Internet, information can be accessed by unauthorized persons over networks without the necessary security measures. Depending on the current state of technology, the cost of technological application and the nature of the data to be protected, we take technical and administrative measures to protect your data from risks such as destruction, loss, falsification, unauthorized disclosure or unauthorized access. In this context, we contract data security contracts with the service providers we work with.

  1. Ensuring Cybersecurity: We use cybersecurity products to ensure personal data security, but the technical treatments we receive are not limited to this. With measures such as firewalls and gateways, the first line of defense is being established against attacks from environments such as the Internet. However, almost every software and hardware is subjected to a number of installation and configuration processes. Some commonly used software and services are removed from devices, especially considering that older versions may have documented vulnerabilities. Therefore, it is preferred primarily because of its ease of deleting unused software and services instead of keeping them up to date. Patch management and software updates ensure that software and hardware work properly and that the security measures taken for the systems are checked regularly.
  2. Access Limitations: Access to systems containing personal data is limited and regularly reviewed. In this context, employees are given access to the extent necessary for their work and duties and their powers and responsibilities, and access to related systems is provided by using usernames and passwords. When creating these passwords and passwords, it is ensured that combinations of uppercase letters, numbers and symbols are preferred instead of numbers or sequences of letters associated with personal information that can be easily guessed.
  3. Cryptography: In addition to the use of strong passwords and passwords, limiting the number of password entry attempts to protect against common attacks such as the use of brute force algorithms (BFA), ensuring that passwords and passwords are changed at regular intervals, opening the administrator account and admin authority for use only when needed, and immediately deleting or closing the account for employees who have been disconnected from the data controller limitation is carried out.
  4. Anti Virus Software: To protect against malware, products such as antiviruses and antispams that regularly scan the information system network and detect hazards are used, as well as keeping them up-to-date and scanning the required files regularly. If personal data is to be obtained from different websites and/or mobile application channels, connections are made via SSL or a safer way.
  5. Tracking Personal Data Security: It is done to check which software and services are working in the information networks, to determine whether there is a leakage or movement that should not be in the information networks, to keep a regular record of the transaction transactions of all users (such as log records), to report security problems as quickly as possible. Evidence is collected and stored securely in undesirable incidents such as information system crash, malicious software, decommissioning attack, incomplete or incorrect data entry, violations that violate privacy and integrity, misuse of the information system.
  6. Securing Personal Data-Containing Environments: If personal data is stored on devices or paper media located on the campuses of data controllers, physical security measures are taken against threats such as theft or loss of these devices and papers. Physical environments where personal data are contained are protected against external risks (fire, flood, etc.) by appropriate methods and the entrances/exits to these environments are controlled.
  7. If personal data is electronic, access between network components can be restricted or components are separated to prevent personal data security breaches. For example, if personal data is processed in this area by limiting the network being used only to a certain part of the network allocated for this purpose, existing resources may be allocated only for the purpose of securing this limited space, not for the entire network.
  8. Measures of the same level are also taken for paper media, electronic media and devices outside the Company’s campus that contain personal data belonging to the Company. As a matter of fact, although personal data security violations often occur due to the theft and loss of devices containing personal data (laptop, mobile phone, flash drive, etc.), personal data to be transferred by e-mail or mail is also sent carefully and with adequate measures. If employees have access to the information system network with their personal electronic devices, adequate security measures are taken for them.
  9. Access control authorization and/or encryption methods are used against the loss or theft of devices containing personal data. In this context, the password key is stored in an environment accessible only to authorized persons and unauthorized access is prevented.
  10. Documents in a paper media containing personal data are also stored in a locked and accessible environment only to authorized persons, preventing unauthorized access to such documents.
  11. Our Company shall notify the KVK Board and the data subjects as soon as possible if personal data are obtained by others by unlawful means in accordance with KVKK m. 12. The KVK Board may announce this situation on its website or by other means if it deems necessary.
  12. Storage of Personal Data in the Cloud: In the event that personal data is stored in the cloud, the Company must assess whether the security measures taken by the cloud storage service provider are adequate and appropriate. In this context, two-stage authentication check is applied for detailed knowledge of what is stored in the cloud, backing up, synchronisation and remote access to these personal data if necessary. During the storage and use of personal data contained in these systems, encryption by cryptographic methods, encryption and disposal of cloud environments are provided, where possible for personal data, especially for each cloud solution that is serviced. When the cloud computing service relationship ends; all copies of encryption keys that may be used to make personal data available are destroyed. Access to data storage areas where personal data is located is logged and inappropriate access or access attempts are communicated to the relevant parties instantly.
  13. Information Technology Systems Procurement, Development and Maintenance: Security requirements are taken into account when determining the needs of the company regarding the supply, development or improvement of new systems.
  14. Backup of Personal Data: In cases where personal data is damaged, destroyed, stolen or lost for any reason, the Company provides the as soon as possible to operate using the backed-up data. The backed-up personal data is only accessible to the system administrator and the data set backups are excluded from the network.

Administrative Measures

  • All activities carried out by our company were analyzed in detail in all business units and as a result of this analysis, a process-based personal data processing inventory was prepared. Risky areas in this inventory are identified and necessary legal and technical measures are taken continuously. (e.g. The documents that should be prepared within the scope of POPD are prepared taking into account the risks in this inventory)
  • Personal data processing activities carried out by our company are audited by information security systems, technical systems and legal methods. Policies and procedures related to personal data security are determined and regular checks are carried out within this scope.
  • Our company can receive services from external service providers from time to time in order to meet information technology needs. In this case, the external service providers that process such Data are processed at least by ensuring that they provide the security measures provided by our Company. In this case, this contract signed by signing a written contract with the Data Processor includes the following as a minimum:
  • Data Processor acts only in accordance with the purpose and scope of data processing specified in the contract in accordance with the instructions of the Data Controller and in accordance with the POPD and other legislation,
  • Act in accordance with the Personal Data Retention and Destruction Policy,
  • Subject to the obligation to keep secrets indefinitely regarding the personal data processed by the Data Processor,
  • In the event of any data breach, the Data Processor is obliged to notify the Data Controller immediately,
  • Our Company will carry out or carry out the necessary audits on the systems containing personal data of the Data Processor, and will be able to examine the reports resulting from the audit and the service provider company on site,
  • Take the necessary technical and administrative measures for the security of personal data; and
  • In addition, as the nature of our relationship with the Data Processor allows, the categories and types of personal data transferred to the Data Processor are specified in a separate article.
  • As emphasized in the guidance and publications of the Institution, personal data are reduced as much as possible within the framework of the principle of data minimization and personal data that is not necessary, outdated and does not serve a purpose is not collected and if it was collected in the period before the POPD, it is destroyed in accordance with the Personal Data Retention and Destruction Policy.
    Technical personnel are employed.
  • Our company has determined provisions regarding confidentiality and data security in the Employment Contracts to be signed during the recruitment processes of its employees and asks employees to comply with these provisions. Employees are regularly informed and trained about the protection of personal data and the necessary measures in accordance with this law. The roles and responsibilities of the employees were reviewed in this context and their job descriptions were revised.
  • Technical measures are taken in accordance with technological developments, the measures taken are periodically checked, updated and renewed.
  • Access powers are limited and entitlements are regularly reviewed.
    The technical measures taken are regularly reported to the official and the issues that pose a risk are reviewed and the necessary technological solutions are produced.
  • Software and hardware including virus protection systems and firewalls are installed.
  • Backup programs are used to ensure the safe storage of personal data.
  • Security systems are used for storage areas, technical measures taken are periodically reported to the relevant person in accordance with internal controls, and necessary technological solutions are produced by reassessing the issues that pose a risk. Files/outputs stored in physical environment are stored through the suppliers studied and then destroyed in accordance with the procedures determined.
  • The issue of Personal Data Protection is also embraced by the senior management and a special Committee (POPD Committee) is carried out in this regard. A management policy governing the working rules of the Corporate POPD Committee will be enacted within the Company and the duties of the POPD Committee will be explained in detail.

HOW DO WE PROTECT YOUR PERSONAL DATA WITH SPECIAL QUALITY?

A separate policy regarding the processing and protection of personal data of special nature has been prepared and enacted.

POPD m. 6 regulated and subjected the processing of private personal data as private personal data because data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, disguises and clothing, associations, foundations or trade unions, health, sex life, criminal conviction and security measures, and biometric and genetic data are unlawfully processed, risk causing victimization or discrimination of individuals.

The processing of personal data of special nature, which risks discriminating when they are processed unlawfully, is also given importance by Sönmez Cement. In this context, Sönmez Cement determines whether the data processing conditions exist in the processing of its special quality personal data and data processing activity is carried out after ensuring the existence of the legal compliance requirement.

Personal data of special quality other than health and sex life can be processed by Sönmez Cement without explicit consent in the cases stipulated in the laws in accordance with POPD m. 6/3, provided that adequate measures are taken by the POPD Board. In cases where the processing of such special personal data is not stipulated in the law, the explicit consent of the employees is applied and personal data processing activities are not carried out for employees who do not give explicit consent.

However, when processing personal data related to health and sex life, explicit consent is obtained.

Our company takes special measures to ensure the security of personal data of special quality. In accordance with the principle of data minimization, personal data of special nature are not collected and processed only when necessary, unless necessary for the relevant business process. In case of processing of personal data of special quality, technical and administrative measures are taken as necessary to comply with legal obligations and to comply with the measures determined by the POPD Board.

WHAT ARE YOUR RIGHTS TO YOUR PERSONAL DATA?

As data subjects in accordance with POPD m. 11, you have the following rights regarding your personal data:

  • To find out if your personal data has been processed by our Company,
  • If your personal data has been processed, requesting information about it,
  • To learn the purpose of processing your personal data and whether they are used in accordance with the purpose,
  • Knowing the third parties to whom your personal data is transferred, in the country or abroad,
  • Requesting correction of your personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
  • Request the deletion or destruction of your personal data in the event that the reasons requiring its processing disappear, even though it has been processed in accordance with the provisions of the POPD and other relevant laws, and to request that the transaction carried out within this scope be notified to the third parties to whom your personal data is transferred,
  • Objecting to the emergence of a result against you by analyzing the processed data exclusively through automated systems,
  • If you suffer losses due to the unlawful processing of your personal data, do not request compensation for the damage you have suffered.

You can submit these requests to our Company free of charge in accordance with the Application Communiqué as follows:

  • After filling out the form on our website and signing it with wet signature, Sönmez Cement Construction and Mining Industry and Trade Inc. Adana Yumurtalık Serbest Bölgesi Sarımazı SB Mahallesi 2. Bulvar 5. Cadde No: 5/01 PK: 01920 Ceyhan / Adana address in person (please note that your ID will need to be presented).
  • After filling out the form on our website and signing it with wet signature, sending it to Sönmez Cement Construction and Mining Industry and Trade Inc. Adana Yumurtalık Serbest Bölgesi Sarımazı SB Mahallesi 2. Bulvar 5. Cadde No: 5/01 PK: 01920 Ceyhan / Adana address via notary.
  • After filling out the application form on our website and signing it with your “secure electronic signature” under the Electronic Signature Law No. 5070, it is sent by e-mail to the kvkk@sonmezcimento.com.tr address with a secure electronic signature.
  • To be communicated in writing by using your e-mail address previously reported to our Company and registered in our Company’s system.
  • After filling out the application form on our website and signing it with your “secure electronic signature” under the Electronic Signature Law No. 5070, it is sent by e-mail registered to the sonmezcimento@hs1.kep.tr address with a secure electronic signature.

In the application;

If the name, surname and application are written, the signature, T.C. Identification Number for the citizens of the Republic of Türkiye, nationality for foreigners, passport number or id number, if any, the main place or workplace address of the notification, the e-mail address based on the notification, telephone and fax number, the subject of the request, must be present. Information and documents related to the subject are also added to the application.

It is not possible to make a request by third parties on behalf of personal data subjects. In order for a person other than the personal data subject to make a request, a wet signed and notarized copy of the special power of attorney issued by the personal data subject on behalf of the applicant must be found. In the application containing your explanations of the right you have as a personal data subject and that you intend to exercise and request to exercise your rights mentioned above; the matter you are requesting must be clear and understandable, the subject you are requesting is related to you or if you are acting on behalf of someone else, you must be privately authorized and your authority to be documented, the application must include identification and address information, and documents that identify you should be included in the application.

In this context, your applications will be finalized in the shortest possible time frame and within a maximum of 30 days. Such applications are free of charge. However, if the transaction also requires a cost, the fee in the tariff determined by the POPD Board may be charged.

If the personal data owner submits his request to our Company in accordance with the prescribed procedure, our Company will conclude the relevant request free of charge as soon as possible and within thirty days at the latest according to the nature of the request. However, if the transaction requires a separate cost, the applicant will be charged the fee in the tariff determined by the POPD Board by our Company. Our company may request information from the relevant person in order to determine whether the applicant is the owner of personal data. In order to clarify the issues contained in the application of the personal data subject, our company may ask the personal data subject about his application.

In accordance with POPD m. 14, your application is rejected by our Company, even if you find our answer inadequate or if we do not respond to the application during the period; You can file a complaint with the POPD Board within thirty and in any case sixty days from the date of application.

WHAT ARE THE SITUATIONS WHERE DATA OWNERS WILL NOT BE ENTITLED TO THE RIGHTS?

Personal data subjects cannot assert the above-mentioned rights of personal data subjects in these matters, as they are excluded from the scope of the POPD in accordance with Article 28 of the POPD:

  • Processing of personal data for purposes such as research, planning and statistics by anonymization with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy or personal rights or constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution.

In accordance with article 28/2 of the POPD; Personal data subjects may not assert their other rights, except for the right to claim damages as listed below:

  • Personal data processing is necessary for the prevention of criminal or criminal investigation.
  • Processing of personal data made available by the personal data subject.
  • Personal data processing is required by authorized public institutions and organizations and professional organizations that are public institutions on the basis of the authority granted by the law, for the execution of audit or regulatory duties and for disciplinary investigation or prosecution.
  • Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial issues

OTHER CONSIDERATIONS

In the event of a mismatch between the provisions of the POPD and other relevant legislation and this Policy, the provisions of the POPD and other relevant legislation shall be applied first.

We would like to remind you that we may make updates to this Policy due to regulatory provisions that may change over time and changes to our company policies. We will publish the most up-to-date version of the Policy on our website.

 

APPENDIX – ABBREVIATIONS

ABBREVIATIONS
Law No. 5651 Law on the Regulation of Publications on the Internet and the Fight against Crimes Committed Through These Publications, which was published in the Official Gazette no. 26530 dated May 23, 2007.
Constitution Constitution of the Republic of Türkiye dated November 7, 1982 and numbered 2709 published in the Official Gazette dated November 9, 1982 and numbered 17863
Application Notification Notification on the Procedures and Principles of Application to the Data Controller, which was published in the Official Gazette no. 30356 dated March 10, 2018
Contact/Contacts or Data Owner Customers of the group companies with which Sönmez Cement and/or Sönmez Cement are associated refer to the natural person whose personal data is processed, such as corporate customers, business partners, shareholders, officials, candidate employees, interns, visitors, suppliers, employees of the institutions with which he works in cooperation, third parties and others with whom he or she is associated.
Regulation on The Deletion, Destruction or Anonymization of Personal Data Regulation on The Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette no. 30224 dated October 28, 2017 and effective as of January 1, 2018
KVKK Personal Data Protection Law, which was published in the Official Gazette dated April 7, 2016 and numbered 29677
KVK Board Personal Data Protection Board
KVK Institution Personal Data Protection Authority
m. Material
E.g. Example
Policy This Sönmez Cement Personal Data Protection and Privacy Policy
Company/ Sönmez Cement Sönmez Cement Yapı ve Madencilik Sanayi ve Ticaret A.Ş.
Turkish Penal Code Published in the Official Gazette dated October 12, 2004 and numbered 25611; Turkish Penal Code no. 5237 dated September 26, 2004

 

Clarification Text of the Law on the Protection of Personal Data Application Form Download