1.    PURPOSE AND SCOPE
This procedure is intended to protect the fundamental rights and freedoms of individuals, especially the right to privacy, in the processing of personal data and to set out the obligations of YAPRAKSAN, who is the personal data processor, under the Personal Data Protection Law No. 6698 and any applicable secondary legislation (regulations, communiqués, and board decisions) and the procedures and principles to be complied with by YAPRAKSAN in this respect.

This procedure will apply to natural persons whose personal data are processed and to all locations of YAPRAKSAN who processes such data by wholly or partially automated means or by non-automated means provided that they are part of any data registry system.

​

2.    DEFINITIONS
Explicit Consent: Refers to the consent on a particular subject, which is based on being provided with information and is expressed of one's free will,
Anonymization: Refers to the action taken to make personal data incapable of being associated with an identified or identifiable natural person even by matching personal data with other data,
Contact Person: Refers to the person who will serve VERBIS notices on behalf of YAPRAKSAN and establish communication with the data subject,
Data Subject: Refers to the natural person whose personal data is processed,
Personal Data: Refers to any data pertaining to a natural person who is identified or identifiable, 
Personal Data Processing: Refers to all kinds of processes regarding data including obtaining, saving, storing, keeping, altering, rearranging, disclosing, transferring, taking over, making available, classifying personal data or prevention of using the same through ways which are completely or partially automatic or through manual ways provided that they are part of a data registry system,
Sensitive Personal Data: Refers to the personal data regarding race, ethnic background, political view, philosophical belief, religion, denomination or other beliefs, appearance, association, foundation or union membership, health, sexual life, conviction and safety precautions, as well as biometric and genetic data,
KVKK: Refers to Personal Data Protection Law No. 6698,
Board: Refers to the Personal Data Protection Board,
Authority: Refers to the Personal Data Protection Authority,
Registry: Refers to Data Controllers' Registry, 
VERBIS: Refers to Data Controllers' Registry Information System,
Data Processor: Refers to the natural or legal person authorized by the data controller to process personal data on behalf of him/her,
Data Registry System: Refers to the registry system which personal data are registered into by being structured in line with given criteria, 
Data Controller: YAPRAKSAN who decides the purposes and means of personal data processing and is responsible for the establishment and management of the data registry system,
YAPRAKSAN: YAPRAKSAN PLASTİK SAN. VE TİC. A.Ş.

​

3.    RESPONSIBILITIES
The Contact Person is responsible for the preparation and documentation of this procedure, while the responsibility for its approval lies with the General Manager.
All departments that process personal data are responsible for processing and protecting personal data in accordance with this procedure.

​

4.    METHOD
4.1.    Personal Data Processing
4.1.1.    General
YAPRAKSAN will process personal data in accordance with the procedures and principles stipulated by other regulations, primarily those stipulated by the Turkish Constitution (Article 20) and the Protection of Personal Data Law No. 6698 (KVKK).

YAPRAKSAN will comply with the following principles in article 4 of KVVK when processing Personal Data.
•    Lawfulness and good faith,
•    Accurateness, and up-to-dateness where required,
•    Processing for specific, explicit and legitimate purposes,
•    Relevance, limitation and proportionality to the purposes for which personal data are processed, and
•    Retention for the period laid down by the applicable legislation or the period required for the purpose for which personal data are processed.

4.1.2.    Terms and Conditions of Personal Data Processing
YAPRAKSAN will process Personal Data based on the legal grounds in article 5 of KVKK.
For Personal Data Categories see (Table-1)

(1)    YAPRAKSAN will avoid processing personal data without the explicit consent of data subjects.
(2)    YAPRAKSAN may process personal data without seeking the explicit consent of the data subject if one of the following conditions is met:
•    It is expressly provided for by the laws. 
•    It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to express his/her consent due to the physical disability or whose consent is not deemed legally valid.
•    Processing of personal data of the parties to a contract is required, provided that it is directly related to the establishment or performance of the contract.
•    It is necessary for compliance with a legal obligation to which YAPRAKSAN is subject.
•    Personal data are made public by the data subject himself/herself.
•    Data processing is necessary for the establishment, exercise or protection of any right.
•    Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing will not violate the fundamental rights and freedoms of the data subject.

4.1.3.    Terms and Conditions of Sensitive Personal Data Processing
YAPRAKSAN will process Sensitive Personal Data based on the legal grounds in article 6 of KVKK.
For Personal Data Categories see (Table-2) 

(1)    YAPRAKSAN will avoid processing sensitive personal data without the explicit consent of data subjects.
(2)    YAPRAKSAN may process personal data without seeking the explicit consent of the data subject if the following conditions are met:
•    Sensitive personal data, other than data concerning Health and Sexual Life, if expressly provided for by law, and
•    In case of sensitive personal data concerning Health and Sexual Life; by persons under its control or by authorized bodies and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, performance of treatment and care services, and planning and management of healthcare services and healthcare services financing.
(3)    YAPRAKSAN will take the measures provided in the SENSITIVE PERSONAL DATA SECURITY PROCEDURE for processing Sensitive personal data.

4.1.4.    Domestic Transfer of Personal Data
YAPRAKSAN will transfer Personal Data domestically based on the legal grounds in article 8 of KVKK.

(1)    YAPRAKSAN will avoid transferring personal data domestically without the explicit consent of data subjects.
(2)    YAPRAKSAN may transfer personal data domestically without the explicit consent of the data subject if the following conditions are met:
•    One of the conditions given in clause 2, article 4.1.2 of this procedure / in clause 2, article 5 of KVVK exists.

4.1.5.    Domestic Transfer of Sensitive Personal Data
YAPRAKSAN will transfer Sensitive Personal Data domestically based on the legal grounds in article 8 of KVKK.

(1)    YAPRAKSAN will avoid transferring sensitive personal data domestically without the explicit consent of data subjects.
(2)    YAPRAKSAN may transfer sensitive personal data domestically without the explicit consent of the data subject if the following conditions are met:
•    One of the conditions given in clause 2, article 4.1.3 of this procedure / in clause 3, article 6 of KVVK exists, and
•    The satisfactory measures provided in the SENSITIVE PERSONAL DATA SECURITY PROCEDURE are taken for transferring sensitive personal data.

4.1.6.    Transfer of Personal Data Abroad
YAPRAKSAN will transfer personal data abroad based on the legal grounds in article 9 of KVKK.

(1)    YAPRAKSAN will avoid transferring personal data abroad without the explicit consent of data subjects.
(2)    YAPRAKSAN may transfer personal data abroad without the explicit consent of the data subject if the following conditions are met:
•    One of the conditions given in clause 2, article 4.1.2 of this procedure / in clause 2, article 5 of KVVK exists,
•    Adequate protection is provided in the foreign country where personal data are to be transferred, and
•   If adequate protection is not provided; YAPRAKSAN and the data controller in the relevant foreign country give a commitment for adequate protection and the Board grants authorization in this respect.

4.1.7.    Transfer of Sensitive Personal Data Abroad
YAPRAKSAN will transfer sensitive personal data abroad based on the legal grounds in article 9 of KVKK.

(1)    YAPRAKSAN will avoid transferring sensitive personal data abroad without the explicit consent of data subjects.
(2)    YAPRAKSAN may transfer sensitive personal data abroad without the explicit consent of the data subject if the following conditions are met:
•    One of the conditions given in clause 2, article 4.1.3 of this procedure / in clause 3, article 6 of KVVK exists,
•    Adequate protection is provided in the foreign country where personal data are to be transferred,
•   If adequate protection is not provided; YAPRAKSAN and the data controller in the relevant foreign country give a commitment for adequate protection and the Board grants authorization in this respect, and
•    The satisfactory measures provided in the SENSITIVE PERSONAL DATA SECURITY PROCEDURE are taken for transferring sensitive personal data.

4.1.8.    Erasure, Destruction or Anonymization of Personal Data
YAPRAKSAN will erase, destruct or anonymize Personal Data in accordance with article 7 of KVKK.

YAPRAKSAN will erase, destruct or anonymize Personal Data ex officio or upon request of the data subject if the reasons for the processing no longer exist.

YAPRAKSAN will handle the procedures for personal data retention and destruction in accordance with the PERSONAL DATA RETENTION AND DESTRUCTION PROCEDURE.

4.2.    YAPRAKSAN's Obligations
•    Obligation to Inform
•    Obligations Concerning Data Security
•    Obligation of Registration into the Data Controllers' Registry
•    Obligation to Respond to Data Subject Requests
•    Obligation to Fulfill the Board Decisions

4.2.1.    Obligation to Inform
At the time when personal data are acquired, the data subject will be informed by YAPRAKSAN or its authorized person in accordance with article 10 of KVKK. When fulfilling this obligation, the information to be provided by YAPRAKSAN or its authorized person will at least include:
•    YAPRAKSAN's identity,
•    For what purpose personal data are to be processed,
•    To whom and for what purposes personal data may be transferred,
•    Method and legal reason for collecting personal data, and
•    Other rights of the data subject listed in article 11.

​

Procedures and Principles of Information
YAPRAKSAN or its authorized person will follow the following procedures and principles at the time of the fulfilment of the obligation to inform by using physical or electronic media, such as oral or written statement, voice recording and call center.
•    The obligation to inform will be fulfilled in any case of personal data processing depending on the explicit consent of data subject or other requirements for processing.
•   In case of any change to the purpose of personal data processing, the obligation to inform will be fulfilled for this purpose prior to data processing.
•    If personal data are processed by different units of YAPRAKSAN for other purposes, the obligation to inform will be fulfilled individually in each unit.
•    Any information to be provided to the data subject under the obligation to inform will conform to those given in the Registry.
•    YAPRAKSAN will fulfill its obligation to Inform even if not requested by the data subject.
•    YAPRAKSAN is liable for proving that the obligation to inform is fulfilled. Consequently, YAPRAKSAN will seek the consent of the data subject on the performance of information physically or electronically. 
•    If personal data processing relies on the condition of explicit consent, the procedures concerning the obligation to inform and seeking of explicit consent will be performed individually.
•    The purpose of processing personal data to be disclosed under the obligation to inform will be specific, explicit and legitimate. While the obligation to inform is being fulfilled, general and ambiguous statements should be avoided. Additionally, it should be avoided to use any statements which may suggest that personal data may be processed for other purposes likely to be discussed. 
•    Any notices intended for the data subject under the obligation to inform will be served by using intelligible, clear and plain language.
The “Legal grounds” mentioned under the method and legal reason for collecting personal data refer to on which processing conditions personal data are processed under the obligation to inform. The legal reason will be explicitly provided at the time of fulfilment of the obligation to inform.
•    For the purposes of the obligation to inform, the purpose of personal data processing and the recipient group to whom personal data will be transferred will be provided.
•    For the purposes of the obligation to inform, it will be clearly stated by which method personal data are acquired: by wholly or partially automated means or by non-automated means, provided that they are part of the data registry system.
•    When fulfilling the obligation to inform, the use of any information that is incomplete or inaccurate or misleads the data subject will be avoided.

​

Obligation to Inform In Case of Failure to Acquire Personal Data from the Data Subject
In case of failure to acquire personal data from the data subject, YAPRAKSAN will fulfill the obligation to inform to that data subject under the following circumstances:
•    within a reasonable time following the acquisition of personal data,
•    at the first instance of communication where personal data are to be used to communicate with the data subject, and
•    not later than the time of initial transfer of personal data if they are to be transferred.

 

Points to Consider When Seeking Consent
The explicit consent should contain the “positive declaration of intent” by the consenter. Generally, YAPRAKSAN accepts the explicit consent with the original signature affixed. In some cases, however, it may also be accepted electronically or by phone.

Since the right to give explicit consent and determine the future of personal data is vested in the data subject, they may revoke the explicit consent given to YAPRAKSAN at any time.

Since, however, the said revocation will bear forward-looking consequences, all the data processing activities carried out based on the explicit consent will be halted by YAPRAKSAN from the moment the revocation statement reaches YAPRAKSAN. 

 

4.2.2.    Obligations Concerning Data Security
YAPRAKSAN will take measures for the security of any personal data in accordance with article 12 of KVVK and the Personal Data Security Guide.

YAPRAKSAN will take all necessary technical and administrative measures to provide an appropriate level of security for the purposes of preventing unlawful processing of personal data, preventing unlawful access to personal data and ensuring protection of personal data.

YAPRAKSAN will take measures for personal data security in accordance with the PERSONAL DATA SECURITY PROCEDURE.

4.2.3.    Obligation of Registration into the Data Controllers' Registry (VERBIS)
YAPRAKSAN fulfills the procedures for registration and notification to the Data Controllers' Registry in accordance with article 16 of KVVK and the Regulation on Data Processors' Registry.

​

Contact Person: 
YAPRAKSAN has a Contact Person appointed in-house by the senior management. The job descriptions for the contact person are determined.
The contact person is the person who will serve notices to the Data Controllers' Registry on behalf of YAPRAKSAN and establish communication with the board and the data subject.
The contact person is not authorized to represent YAPRAKSAN in accordance with the provisions of the Law and applicable regulations.
The details of the Data Controller and Contact Person are given in the VERBIS REGISTRY DETAILS FORM.

​

Data Controller and Registration into the Registry
The Data Controller is the legal entity itself. YAPRAKSAN acts in the capacity of the Data Controller in this context.

The Data Controllers' Registry is a registry system where data controllers must register and disclose information regarding data processing activities.  YAPRAKSAN, acting in the capacity of Data Controller, is registered into the Data Controllers' Registry system and fulfills notification procedures.

The information to be disclosed to the registry for registration applications will be prepared by YAPRAKSAN based on the PERSONAL DATA PROCESSING INVENTORY.

Under the obligation to inform, YAPRAKSAN will rely on the information submitted to the Registry based on the Personal Data Processing Inventory and published in the Registry when responding to the data subject requests and determining the scope of the explicit consent to be disclosed by the data subject.

YAPRAKSAN is responsible for ensuring that the information presented to and published in the Registry are complete, accurate, up-to-date and lawful.

 

Information Submitted under the Obligation to Register
The following information in the data controllers' registry will be disclosed to the public:
•    Name and address of YAPRAKSAN and its contact person, and KEP address if acquired,
•    For what purpose personal data may be processed,
•    Data subject group(s) and the data categories for such persons, 
•    Recipients and recipient groups to whom personal data may be transferred,
•    Personal data anticipated to be transferred to foreign countries,
•    Date of registration in the registry and the registration expiry date,
•    Measures taken to ensure personal data security, and 
•    Maximum period required for the purpose for which personal data are processed. 

The 'DATA CONTROLLERS' REGISTRY SYSTEM (VERBIS) GUIDE' prepared by the Authority is leveraged for steps of registration and notification to VERBIS.

 

Establishment of Communication
Any communication by the Authority with YAPRAKSAN concerning the implementation of KVKK will be carried out through the identification, address or KEP address information notified to the Registry.

 

Change in Registry Information
In case of any change in the information registered into the registry, YAPRAKSAN will notify the Authority of such changes within seven days via VERBIS.

 

Exceptions
For personal data processing activities given below, YAPRAKSAN has no obligation to register and notify these activities in the Registry:
•    Personal data processing required for the prevention of crime or for criminal investigation,
•    Processing of personal data that are made public by the data subject themselves,
•    Personal data processing required for the conduct of supervisory or regulatory duties, for disciplinary investigation, or prosecution by the public institutions, organizations, and professional associations having the status of public institutions assigned and authorized for such actions, in accordance with the power granted to them by law, and
•    Personal data processing required for the protection of the state's economic and financial interests with regard to budgetary, tax-related, and financial issues.

4.2.4.    Obligation to Respond to the Requests by the Data Subject
YAPRAKSAN will respond to any requests filed by the data subject in accordance with article 13 of KVKK and the Communiqué on the Procedures and Principles for Requests Filed to the Data Controller.

 

Rights of the Data Subject
•    Know whether their personal data are processed,
•    Ask for information, if their personal data are processed,
•    Know the purpose of personal data processing and whether the said personal data are used for the intended purpose,
•    Know about the third parties to whom personal data is transferred either at home or abroad,
•    Request correction of personal data in case of incomplete or improper processing,
•    Request the erasure or destruction of personal data,
•    Request the service of a notice to third parties, to whom personal data is transferred, regarding the correction, erasure or destruction of personal data,
•    Object to any adverse consequence resulting against the person upon the exclusive analysis of the processed data through automated systems, and
•    Claim compensation, if the data subject suffers damage due to the illegal processing of any personal data.

 

Data Subject's Right to Request
Natural persons whose personal data is processed has the right to file request to YAPRAKSAN.
The data subject may exercise this right by filing their requests in Turkish.
The DATA SUBJECT REQUEST FORM on www.yapraksan.com should be used for any request to filed to YAPRAKSAN by the data subject in line with their rights.

 

Procedure for the Data Subject Request
The data subject will communicate their requests concerning the implementation of the law to YAPRAKSAN in writing or by other methods to be designated by the Board.
The data subject will communicate their requests under the rights given in article 11 of KVKK to YAPRAKSAN by the following methods:
•    In writing,
•    By Registered Electronic Mail (KEP), 
•    By safe electronic signature, 
•    By mobile signature,
•    Via the e-mail address previously notified to YAPRAKSAN by the data subject and registered in the system, and
•    Via software and application developed for reference purposes. 

The request must include;
•    Name and last name,
•    Signature, if the request is filed in writing, 
•    Turkish identification number for Turkish citizens, 
•    Nationality, passport number, or identification number (if available) for foreigners, 
•    Residential or work address for service, 
•    Electronic mail address for notification, if available, 
•    Telephone and facsimile number, and 
•    Subject of the request.

The related information and documents will be attached to the request.
For written requests, the date on which the file is submitted to YAPRAKSAN will be the request date.
For other requests filed by other methods, the date on which the request is received by YAPRAKSAN will be the request date.

 

Responding to the Data Subject Request
YAPRAKSAN will either accept the request or reject it by explaining the reason for rejection.
YAPRAKSAN will give response to the data subject in writing or electronically.

The response letter must include;
•    Company details, 
•    Requester's name and last name, 
•    Turkish identification number for Turkish citizens, 
•    Nationality, passport number, or identification number (if available) for foreigners, 
•    Residential or work address for service, 
•    Electronic mail address for notification, if available, 
•    Telephone and facsimile number, 
•    Subject of the request, and 
•    YAPRAKSAN's statements on the request.

YAPRAKSAN will respond to the request using the DATA SUBJECT RESPONSE FORM.

​

Time and Fee for Responding to Requests
YAPRAKSAN will resolve the filed requests as soon as possible and not later than thirty (30) days free of charge, depending on the nature of the request. If, however, this procedure results in an additional cost and the data subject request is to be responded to in writing, no cost will be charged up to ten pages. A processing fee of 1 Turkish Lira may be charged for each page over ten pages. If the request is responded to in a recording medium, such as CDs, flash memories, the fee chargeable by YAPRAKSAN will not exceed the cost of the recording medium. If the request arises from YAPRAKSAN's failure, the fee charged will be reimbursed.

YAPRAKSAN will either accept the request or reject it by explaining the reason for rejection and will communicate its response to the data subject in writing or electronically. If the filed request is accepted, YAPRAKSAN will fulfill it as soon as possible and inform the data subject.

YAPRAKSAN will take all administrative and technical measures in line with its turnover to effectively resolve the data subject requests in a lawful manner and in good faith.

Complaints Filed to the Board
If the request is rejected or the response is found unsatisfactory or the request is not responded to in time, the data subject has the right to file a complaint to the Board within thirty days from the date the response given by YAPRAKSAN becomes known by the data subject and, in any case, within sixty days from the date of request filing.

Pursuant to article 13 of KVKK, no complaint may be filed unless the legal remedy is exhausted. 
The right to claim held by those whose personal rights are violated is reserved in accordance with the general provisions.

4.2.5.    Obligation to Fulfill the Board Decisions
YAPRAKSAN will fulfill any instructions and decisions given by the Board, in accordance with article 15 of KVKK.

If the Board determines the existence of a violation upon the investigation to be carried out, following a complaint or ex officio where it becomes aware of the alleged violation, concerning matters falling within its scope of duty, the Board will decide for the remediation of unlawfulness by YAPRAKSAN and notify the data subject of the decision. The data controller must fulfill this decision without delay and not later than thirty days from the date of notification.

Table-1: Personal Data Categories

​​