For Tema İş Makinaları Servis Ltd. Şti., the protection of the personal data of all natural persons with whom it has a relationship is of great importance. For this reason, it is working with utmost diligence to comply with the current legislation and to apply the principles of data security.
In this context, the necessary administrative and technical measures are taken by Tema İş Makinaları Servis Ltd. Şti. for the processing and protection of personal data in accordance with Law No. 6698 and related legislation.
The Personal Data Retention and Disposal Policy has been prepared to determine the procedures and principles regarding the retention and disposal activities carried out by Tema İş Makinaları Servis Ltd. Şti., and your personal data is processed and protected within the scope of this policy.
The processes and procedures related to the retention and disposal of Personal Data are carried out in accordance with the Policy prepared by the company in this regard.
1.2 Scope
This policy applies to all personal data of our customers, potential customers, employees, employee candidates, employees of institutions we cooperate with, and third parties, which are processed by automated or non-automated means, provided that they are part of any data recording system.
Explicit Consent: Refers to consent that is based on information and declared with free will regarding a specific subject.
Cookie: Small files that are saved on users' computers or mobile devices and help store preferences and other information on the web pages they visit.
Relevant User: Persons who process personal data within the data controller's organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
Disposal: The deletion, destruction, or anonymization of personal data.
Contact Person: The natural person reported by the data controller during registration to the Registry for communication with the Authority regarding the obligations under the Law and secondary regulations to be issued based on this Law, for legal entities resident in Turkey and for the representative of a non-resident legal entity data controller.
(The contact person is not authorized to represent the Data Controller. As the name suggests, they are the person appointed solely to ensure "contact" between the data controller, the data subjects, and the Authority.)
KVKK (DPL): The Personal Data Protection Law No. 6698, dated March 24, 2016, published in the Official Gazette dated April 7, 2016, and numbered 29677.
Recording Medium: Any medium where personal data is processed wholly or partially by automated means or by non-automated means, provided that it is part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of such data, wholly or partially by automated means or by non-automated means, provided that it is part of any data recording system.
Anonymization of Personal Data: Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.
Deletion of Personal Data: Making personal data inaccessible and unusable in any way for the Relevant Users.
Destruction of Personal Data: The process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.
Board: The Personal Data Protection Board.
Authority: The Personal Data Protection Authority.
Special Categories of Personal Data: Data related to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
Periodic Disposal: The process of deletion, destruction, or anonymization to be carried out ex officio at recurring intervals specified in the personal data retention and disposal policy, in the event that all the conditions for processing personal data cease to exist.
Policy: The personal data processing and protection policy created by the Data Controller.
VERBİS: A registration system where natural and legal persons who process personal data must register before starting to process personal data and where they will enter information on a categorical basis regarding the personal data they are processing.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by them.
Data Recording System: The recording system where personal data is structured and processed according to specific criteria.
Data Subject/Relevant Person: The natural person whose personal data is processed.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
1.4 UPDATING AND AMENDING THE POLICY
This policy contains information in accordance with the Law and other legislation regarding personal data and will enter into force on the date of its publication on the Website https://temaservis.com. The policy may be updated from time to time due to legal changes, changes in the Personal Data processing processes of Tema İş Makinaları Servis Ltd. Şti., or other reasons. Updates become effective on the date of publication of the new Policy on the Website.
Tema İş Makinaları Servis Ltd. Şti.; all its business units and employees support the proper implementation of the technical and administrative measures specified in this Policy and the Personal Data Protection and Processing Regulation, the training and awareness-raising of unit employees, continuous supervision, the lawful processing of personal data, and the implementation of technical and administrative measures to ensure data security in all data processing environments, and work in cooperation with the responsible units.
The Personal Data Committee established within Tema İş Makinaları Servis Ltd. Şti. is authorized and responsible for taking/having taken the necessary actions and supervising the processes to ensure that the data of data subjects are stored and processed in accordance with the legislation, the Personal Data Processing and Protection Policy, and the Personal Data Retention and Disposal Policy.
The Personal Data Committee consists of four people: a manager, a human resources specialist, a technical expert, and a lawyer. The titles and job descriptions of the employees serving on the Personal Data Committee are specified below:
| Title | Job Description |
| Personal Data Protection Committee | To direct all kinds of planning, analysis, research, and risk identification studies in projects carried out in the compliance process with the Law; to manage the processes that need to be carried out in accordance with the legislation, the Personal Data Processing and Protection Policy, and the Personal Data Retention and Disposal Policy, and to decide on requests from data subjects, to follow developments regarding the protection of personal data; to make recommendations to senior management on what needs to be done within the scope of these developments, and to manage relations with the Authority and the Board. |
| Personal Data Protection Committee Manager | Responsible for examining and reporting the requests of data subjects to the Personal Data Committee for evaluation; for ensuring that the actions regarding the data subject requests evaluated and decided upon by the Personal Data Committee are carried out in accordance with the Committee's decision; for supervising the retention and disposal processes and reporting these supervisions to the Personal Data Committee; and for executing the retention and disposal processes. |
The personal data of natural persons with whom Tema İş Makinaları Servis Ltd. Şti. has a relationship are stored and disposed of in accordance with the DPL (Data Protection Law). In addition, during the process of storing and disposing of personal data, all kinds of technical and administrative measures are taken to prevent the unlawful storage and disposal of this data by third parties. As a company, we attach importance to the protection of privacy in the processes of storing and disposing of personal data, and data security is observed at the highest level.
RECORDING MEDIA
Personal data is kept and stored securely by Tema İş Makinaları Servis Ltd. Şti. in the media listed in the table below, in accordance with the legislation.
| Electronic Media | Software, Firewall, Intrusion Detection and Prevention System, Antivirus, Printer, Scanner, Photocopier, Computers, Camera Recording Systems, Optical Discs and Removable Memories, Mobile Devices |
| Non-Electronic Media | Printed Data Recording Media; Forms and Documents, Other Written and Visual Media |
During its business activities, the personal data of our employees, employee candidates, visitors, customers, and third parties with whom we have a relationship as a service provider are carefully collected, processed, stored, and disposed of in accordance with the procedures stipulated in this protocol and the Law. In this context, detailed explanations regarding retention and disposal are given below, respectively.
4.1 Explanations on Retention
Article 3 of the Law defines the concept of processing personal data, Article 4 states that the processed personal data must be connected, limited, and proportionate to the purpose for which they are processed and must be retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed, and Articles 5 and 6 list the conditions for processing personal data. Accordingly, our Company retains personal data for the period necessary for the purpose for which they are processed and in accordance with the minimum periods stipulated in the legal legislation to which the relevant activity is subject. In this context, our Company first determines whether a period for the retention of personal data is stipulated in the relevant legislation, and if a period has been determined, it acts in accordance with the most reasonable period suitable for the current situation. Personal data are disposed of at the end of the specified retention periods in accordance with the periodic disposal periods or the data subject's application, and by the specified disposal methods (deletion and/or destruction and/or anonymization).
Personal data processed by Tema İş Makinaları Servis Ltd. Şti. within the framework of its activities are retained for the period stipulated in the relevant legislation. In this context, personal data;
In addition, personal data are retained for the periods stipulated within the framework of;
is retained for the stipulated retention periods.
Our Company retains the personal data it processes within the framework of its activities for the following purposes.
Personal data;
Our Company, upon the request of the data subject, deletes, destroys, or anonymizes the data, or deletes or anonymizes it ex officio.
All administrative and technical measures taken by "Tema İş Makinaları Servis Ltd. Şti." in accordance with the principles in Article 12 of the DPL to ensure the secure storage of your personal data, to prevent its unlawful processing and access, and to ensure its lawful disposal are listed below.
The technical measures taken by "Tema İş Makinaları Servis Ltd. Şti." regarding the personal data it processes are listed below:
List of Technical Measures:
The administrative measures taken by our company regarding the personal data it processes are listed below:
There is a Personal Data Protection Committee within "Tema İş Makinaları Servis Ltd. Şti.". This committee, on behalf of the data controller "Tema İş Makinaları Servis Ltd. Şti.", personally conducts the necessary inspections to ensure the implementation of the provisions of the Law and has them conducted by obtaining support from competent organizations when necessary. According to the results of these inspections, the identified violations, negativities, and non-conformities are reported to the Committee Manager, and the necessary measures are taken in light of these issues.
In accordance with the relevant provisions of the DPL and the "Regulation on the Deletion, Destruction, and Anonymization of Personal Data" issued by the Board; even though it has been processed in accordance with the relevant legal provisions, if the reasons requiring its processing cease to exist, the personal data will be deleted, destroyed, or anonymized by "Tema İş Makinaları Servis Ltd. Şti." based on its own decision or upon the request of the data subject. "Tema İş Makinaları Servis Ltd. Şti." has established a policy in this regard in accordance with the regulation's provisions, and according to this policy, it carries out disposal according to the nature of the data.
| Deletion of Personal Data in Paper Form: | ||
| Blackout | : | Personal data in physical form is deleted using the blackout method. The blackout process is carried out by cutting the personal data on the relevant document where possible, and where not possible, by making it invisible using permanent ink in a way that is irreversible and unreadable with technological solutions. |
| Deletion Methods for Personal Data Held in Cloud and Local Digital Media | ||
| Secure deletion from software | : | Personal data held in cloud or local digital media is deleted by a digital command in a way that it cannot be recovered. Data deleted in this way cannot be accessed again. |
| Destruction Methods for Personal Data Held in Printed Media | ||
| Physical destruction | : | Documents held in printed media are destroyed by shredding machines in a way that they cannot be reassembled. |
| Destruction Methods for Personal Data Held in Local Digital Media | ||
| Physical destruction | : | It is the process of physically destroying optical and magnetic media containing personal data, such as melting, burning, or grinding into powder. Data is made inaccessible through processes like melting, burning, grinding into powder, or passing it through a metal grinder. |
| Degaussing | : | It is the process of corrupting the data on magnetic media in an unreadable way by exposing it to a high magnetic field. |
| Overwriting | : | By writing random data consisting of at least seven passes of 0s and 1s over magnetic media and rewritable optical media, the reading and recovery of old data are prevented. |
| Destruction Methods for Personal Data Held in Cloud Media | ||
| Secure deletion from software | : | Personal data held in the cloud is deleted by a digital command in a way that it cannot be recovered, and when the cloud computing service relationship ends, all copies of the necessary encryption keys to make the personal data usable are destroyed. Data deleted in this way cannot be accessed again. |
Anonymization of personal data is the process of rendering personal data in such a way that it can no longer be associated with an identified or identifiable natural person, even by matching it with other data.
For personal data to be anonymized, it must be rendered impossible to associate with an identified or identifiable natural person, even through the use of appropriate techniques for the recording medium and the relevant field of activity, such as reversal by the data controller or third parties and/or matching the data with other data.
Regarding the personal data processed by "Tema İş Makinaları Servis Ltd. Şti." within the scope of its activities;
The ex officio deletion, destruction, or anonymization process for personal data whose retention periods have expired is carried out by the Information Technology Department.
| PROCESS/SOURCE TRANSACTION | RETENTION PERIOD | LEGAL BASIS | DISPOSAL PERIOD |
| Employee Access Restrictions – Active Directory Transactions | 10 Years from the end of the Employment Relationship | Labor Law No. 4857 and Relevant Legislation | In the first periodic disposal period following the end of the retention period |
| Data Processed for Corporate Communication Activities for Employees (e.g., Participant List, etc.) | 10 Years from the end of the Employment Relationship | Sectoral practices apply. Accordingly, it can only be processed with explicit consent. | In the first periodic disposal period following the end of the retention period |
| Log Records of Employee Access to Media Containing Personal Data | 10 Years, being at least 2 years, due to the possibility of being subject to labor lawsuits | Law No. 5651, Labor Law No. 4857 and TIB (Telecommunication Communication Presidency) Regulations | In the first periodic disposal period following the end of the retention period |
| Personal Data Processed with Documents Required to be Kept under the Tax Procedure Law such as Invoices/Expense Slips/Receipts | 5 Years | Tax Procedure Law No. 213 | In the first periodic disposal period following the end of the retention period |
| Data Processed for General Assembly Transactions | 10 Years | Turkish Commercial Code No. 6102 | In the first periodic disposal period following the end of the retention period |
| General Assembly and Board of Directors Meeting Transactions | 10 years | Turkish Commercial Code No. 6102 | In the first periodic disposal period following the end of the retention period |
| Job Application/Internship Application/Data on Candidate Applications if the Application is Not Accepted (e.g., CV, Resume, Cover Letter, Application Form, etc.) | 1 Year | Sectoral practices apply. Accordingly, it can only be processed with explicit consent. | In the first periodic disposal period following the end of the retention period |
| Data Regarding the Personnel File Kept under the Labor Law | 10 Years from the end of the Employment Relationship | Labor Law No. 4857 and Relevant Legislation / Turkish Code of Obligations No. 6098 | In the first periodic disposal period following the end of the retention period |
| Data Kept under the Labor Law (e.g., severance pay, notice pay, bad faith compensation, information that could be subject to compensation for violation of the principle of equal treatment, payroll records, number of annual leave days, etc.) | 5 Years from the end of the Employment Relationship | Labor Law No. 4857 and Relevant Legislation | In the first periodic disposal period following the end of the retention period |
| Data Kept under the Labor Law that Could be Subject to Union Compensation (e.g., performance records, disciplinary penalties, termination documents, etc.) | 10 Years from the end of the Employment Relationship | Turkish Code of Obligations No. 6098 | In the first periodic disposal period following the end of the retention period |
| In Accordance with the Labor Law: Responding to Court/Enforcement Information Requests Regarding Employees | 10 Years from the end of the Employment Relationship | Labor Law No. 4857 and Relevant Legislation | In the first periodic disposal period following the end of the retention period |
| Data Collected under Occupational Health and Safety Legislation (e.g., pre-employment health tests, health reports, OHS Trainings, records of Occupational Health and Safety activities, etc.) | 15 Years from the end of the Employment Relationship | Occupational Health and Safety Law No. 6331, Occupational Health and Safety Services Regulation | In the first periodic disposal period following the end of the retention period |
| Camera Recordings | 6 Months | Legitimate Interest of the Data Controller | In the first periodic disposal period following the end of the retention period |
| All Records Related to Accounting and Financial Transactions | 10 Years | Law No. 6102, Law No. 213 | In the first periodic disposal period following the end of the retention period |
| Personal Data of Customers | 10 Years after the legal relationship ends. | Law No. 6098, Law No. 213, Law No. 6502 | In the first periodic disposal period following the end of the retention period |
| Personal Data Processed and Shared with the Union for Union Activities | 10 Years | Law on Unions and Collective Bargaining Agreements No. 6356 | In the first periodic disposal period following the end of the retention period |
| Data Kept under SGK (Social Security Institution) Legislation (e.g., employment declarations, premium/service documents, etc.) | 10 Years from the end of the Employment Relationship | Social Insurance and General Health Insurance Law No. 5510 and Relevant Legislation | In the first periodic disposal period following the end of the retention period |
| Personal Data Processed in Contractual Relations (e.g., Name Surname, signature circular, etc.) End of Contract | 10 Years following the Termination of the Contract | Turkish Code of Obligations No. 6098 | In the first periodic disposal period following the end of the retention period |
| Personal Data Processed in Commercial Books to be Kept, Documents Created Based on Records in Commercial Books, Financial Statements, etc., for Company Activities | 10 Years | Turkish Commercial Code No. 6102 | In the first periodic disposal period following the end of the retention period |
| Information on Company Partners and Board of Directors Members (e.g., attendance fee and dividend payments, etc.) | 10 Years | Turkish Commercial Code No. 6102 | In the first periodic disposal period following the end of the retention period |
| Information on Company Partners and Board of Directors Members (personal data in the share ledger) | Indefinite due to the Obligation to Keep the Share Ledger | Turkish Commercial Code No. 6102 | In the first periodic disposal period following the end of the retention period |
| Personal Data of Suppliers | 10 Years after the legal relationship ends | Law No. 6102, Law No. 6098 and Law No. 213 | In the first periodic disposal period following the end of the retention period |
| Personal Data Processed due to the Obligation to Provide After-Sales Services under the Law on the Protection of the Consumer (No. 6502) (e.g., product installation date, customer contact information) | 15 Years | Law on the Protection of the Consumer No. 6502, After-Sales Services Regulation published in the Official Gazette dated 13.06.2014 and numbered 29029 | In the first periodic disposal period following the end of the retention period |
| Personal Data Related to Tax Records | 5 Years | Tax Procedure Law No. 213 | In the first periodic disposal period following the end of the retention period |
| Personal Data of Visitors | 2 Years | Law No. 5651 (For Visitors Accessing the Company's Wi-Fi Network) | In the first periodic disposal period following the end of the retention period |
In accordance with Article 11 of the Regulation, "Tema İş Makinaları Servis Ltd. Şti." has determined the periodic disposal period as 6 months. Accordingly, the periodic disposal process is carried out in the company every year in June and December.
The policy is published in two different media: with a wet signature (printed paper) and in electronic form.
The policy is reviewed as needed and the necessary sections are updated.
This Policy, issued by "Tema İş Makinaları Servis Ltd. Şti.", came into force on the date it was published. This Policy is published on the Company's website (https://temaservis.com) and is made available to the access of data subjects upon their request.
| Update No | Date | Reason for Update | Update Page No | Updated Section |
The right to the protection of personal data has also found its place as a fundamental human right in Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union.
DPL Art. 4 lists the fundamental principles to be complied with for the processing of personal data. These principles are taken into account and meticulously applied within the scope of all personal data processing activities carried out by Tema İş Makinaları Servis Ltd. Şti. ("COMPANY" or the Company). The fundamental principles followed by the Company in its data processing processes are as follows:
Processing in Accordance with the Law and the Rule of Honesty: The "COMPANY" acts in accordance with the general principles of law and the rule of honesty while fulfilling its obligation to process and protect personal data.
Processing Personal Data Accurately and Up-to-Date: The "COMPANY" is aware that ensuring that personal data provides accurate and up-to-date information about individuals is of great importance for the protection of individuals' rights. It shows the utmost care expected of it to ensure that the personal data being processed is accurate and up-to-date.
Processing Personal Data for Specific, Explicit, and Legitimate Purposes: The DPL requires that data processing activities be carried out for specific, explicit, and legitimate purposes. The "COMPANY" also carries out personal data processing activities for specific, explicit, and legitimate purposes required by its activities within the framework of this principle.
Processing in Connection with, Limited to, and Proportionate to the Purpose for which they are Processed: The "COMPANY" processes personal data within the limits sufficient to achieve the purposes determined within the scope of its activities. The "COMPANY" acts in accordance with the principle of being limited and proportionate by refraining from processing personal data that is not needed.
Retaining for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which it is Processed: Personal data being processed by the "COMPANY" is retained for the period until the conditions for processing personal data cease to exist. When these purposes disappear, the "COMPANY" will terminate the procedures for retaining the relevant personal data. The company transparently informs all relevant parties with the necessary documents regarding all data processing processes.
INTRODUCTION
The Personal Data Protection Law No. 6698 (DPL/Law) was published in the Official Gazette on April 7, 2016, to regulate the procedures and principles to be complied with by natural and legal persons who process personal data, in order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data belonging to natural persons.
1. PURPOSE OF THE POLICY
TEMA İŞ MAKİNALARI SERVİS LTD. ŞTİ. Personal Data Processing and Protection Policy (Policy) has been prepared with the aim of disciplining the processing of personal data to be processed during the activities carried out, in accordance with the legislation, and protecting fundamental rights and freedoms, especially the privacy of private life as stipulated in the Constitution.
While preparing the "Policy," the fundamental principle was to determine what data the working units within the "COMPANY" organization collect, why they collect it, and why they transfer this data to third parties, and to understand the Company's personal data processing procedure. In addition, this Policy aims to determine what administrative and technical measures will be taken to protect data privacy both inside and outside the "COMPANY" organization, to explain these measures, and to inform and enlighten the individuals whose data are processed.
2. SCOPE OF THE POLICY
All natural persons whose data are processed directly or indirectly due to the activities of the "COMPANY" fall within the scope of the "Policy".
Within the scope of this "Policy", customized information is provided about the data processed within the framework of the transactions and activities in the "COMPANY" organization, the categorization of the data, the groups of data recipients, the legal reason and method of data collection, the groups of third parties to whom the data is transferred, the processing periods of the data, and the disposal periods of the data.
3. DEFINITIONS
Explicit Consent: Refers to consent that is based on information and declared with free will regarding a specific subject.
Cookie: Small files that are saved on users' computers or mobile devices and help store preferences and other information on the web pages they visit.
Relevant User: Persons who process personal data within the data controller's organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
Disposal: The deletion, destruction, or anonymization of personal data.
Contact Person: The natural person reported by the data controller during registration to the Registry for communication with the Authority regarding the obligations under the Law and secondary regulations to be issued based on this Law, for legal entities resident in Turkey and for the representative of a non-resident legal entity data controller.
(The contact person is not authorized to represent the Data Controller. As the name suggests, they are the person appointed solely to ensure "contact" between the data controller, the data subjects, and the Authority.)
KVKK (DPL): The Personal Data Protection Law No. 6698, dated March 24, 2016, published in the Official Gazette dated April 7, 2016, and numbered 29677.
Recording Medium: Any medium where personal data is processed wholly or partially by automated means or by non-automated means, provided that it is part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of such data, wholly or partially by automated means or by non-automated means, provided that it is part of any data recording system.
Anonymization of Personal Data: Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.
Deletion of Personal Data: Making personal data inaccessible and unusable in any way for the Relevant Users.
Destruction of Personal Data: The process of making personal data inaccessible, irretrievable, and unusable by anyone in any way.
Board: The Personal Data Protection Board.
Authority: The Personal Data Protection Authority.
Special Categories of Personal Data: Data related to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
Periodic Disposal: The process of deletion, destruction, or anonymization to be carried out ex officio at recurring intervals specified in the personal data retention and disposal policy, in the event that all the conditions for processing personal data cease to exist.
Policy: The personal data processing and protection policy created by the Data Controller.
VERBİS: A registration system where natural and legal persons who process personal data must register before starting to process personal data and where they will enter information on a categorical basis regarding the personal data they are processing.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by them.
Data Recording System: The recording system where personal data is structured and processed according to specific criteria.
Data Subject/Relevant Person: The natural person whose personal data is processed.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
4. COMPANY DPL STRUCTURE
The data controller for the personal data processing activities covered by this Policy is Tema İş Makinaları Servis Ltd. Şti.
Our company, within the framework of the DPL compliance program, has organized a separate organization for personal data protection processes to guarantee the continuity of compliance with the DPL, has carried out the appropriate business and transactions, and has provided the necessary equipment. In this context, a "Personal Data Protection Commission" has been established within our Company, and a Contact Person has been appointed.
4.1. Personal Data Protection Commission
A DPL Commission has been established within our Company to demonstrate our commitment to ensuring sustainable compliance with the personal data protection legislation and to ensure the effectiveness of our personal data protection system. The chairman and members of the DPL Commission are determined by the board of directors and carry out their duties.
4.2. Contact Person
To fulfill the obligation to appoint a contact person as stipulated by the legislation, a contact person who has received the necessary training and has the required competence in DPL has been appointed. The primary responsibility of the contact person is to ensure communication between the data controller and the data subjects and the Authority, as stipulated by the legislation, and the contact person does not have the authority to represent the data controller. The contact person will also work towards the fulfillment of the duties and responsibilities of the DPL Commission. The Contact Person is a natural member of the DPL Commission within our organization and calls the DPL Commission to a meeting when necessary.
5. PURPOSES OF PROCESSING YOUR PERSONAL DATA, THE PERSONAL DATA WE PROCESS, COLLECTION METHODS, AND LEGAL GROUNDS
Your personal data will be used to achieve the purposes shown in the relevant legislation for the "COMPANY" and by observing the limits stipulated in the DPL. The processing purposes are as follows;
Identity Information: Your name, surname, T.R. identity number, mother's name, father's name, place and date of birth, personnel registration number, and other information provided by you to the Company with your explicit consent.
Contact Information: Your residence address, workplace address, telephone number, and e-mail address, KEP (Registered Electronic Mail) address, and, if available, your mobile phone number, fax number, or information on other communication channels you have indicated you prefer for us to contact you, provided with your consent.
Work and Education Information: Information on the application form you filled out for application to the Company (job application, event participation application), within the scope of registration documents and/or in job application forms sent to the Company's e-mail address, or your identity information, work status information, contact information, and education status information ("University graduate, master's degree graduate, physics department graduate," etc.) and past graduation information, course/seminar information you attended, certificate information, and national or international exam results, obtained through other online or physical application methods provided by the Company.
Customer Transaction Information: Call center records, credit card statements, customer instructions, records recorded in relevant channels, etc., depending on an instruction and request associated with the person.
Financial Information: Credit card debt, loan amount, loan payments, debt balance, credit balance, etc., in parallel with information from official authorities in case of a legal follow-up, and accounting information and related records.
Financial Information: Bank name and branch information, bank account number information, IBAN number information, acquired for the purpose of paying salaries and fringe benefits, refunding overpayments and undue payments, making payments from the revolving fund, and making payments for external assignments.
Request/Complaint Management Information: Information and records collected regarding the requests and complaints made to our Company about our products and services associated with the person, and information on the reports where these are evaluated by the relevant business units, etc.
Special Categories of Personal Data: Special categories of personal data related to health, criminal conviction, and security measures of disabled persons and persons against whom a conviction has been issued and/or a security measure has been applied, who are employed to fulfill employment obligations arising from legislation within the company, are processed.
Although the Company has no other direct purpose for processing special categories of personal data, your data on religion, attire, philosophical belief, political opinion, and health (e.g., clothing, devices, and prostheses understood from a photograph) that may be indirectly acquired within the scope of the identity document, photographs, or still/moving images obtained during events you have provided to the Company, and other special categories of information you have voluntarily stated in a document provided by the Company.
iii. Methods of Collecting Your Personal Data
Your personal data is collected through registration/application forms submitted via the internet, receipts and expense documents, security camera recordings, and in case personal data is sent to the COMPANY's official e-mail address at tema@temaservis.com, through these communication channels.
Personal data is also collected by physically sending documents, physically filling out a document provided by the Company, or by calling the lines +90 (530) 392 32 05 or other internal numbers belonging to the Company.
Your personal data is also collected through automated means via cookies used at tema@temaservis.com and its extensions. These cookies are only necessary for the visitor to use the site with full efficiency and are used to remember the visitor's preferences and do not obtain any other personal data. You can access our cookie policy at https://temaservis.com.
The DPL lists the conditions for processing personal data in Article 5, paragraph 2. If the purposes of processing personal data by a data controller can be evaluated within the framework of the personal data processing conditions listed in the DPL, that data controller can process personal data lawfully. In this context, personal data processing activities are carried out by the Company in cases where the Company's activity can be evaluated within the scope of the personal data processing conditions regulated in the DPL. The Company does not engage in any personal data processing activity that does not fall within the scope of personal data processing conditions.
The personal data processing conditions in the DPL are as follows;
For special categories of personal data, the basic processing condition is also explicit consent, and the Company does not fundamentally aim to process special categories of personal data. However, your special categories of personal data that we need to process due to our activity or that you have approved with your explicit consent are also processed proportionately within the framework of the legislation.
The conditions listed in the DPL for processing special categories of personal data are as follows;
6. TRANSFER OF PERSONAL DATA
Domestic transfer: As is known, according to Article 8/2-a and b of the DPL, it is possible to transfer personal data domestically without obtaining explicit consent if they are processed within the scope of Article 5/2 and 6/3 of the DPL. The "COMPANY" makes transfers to third parties by observing the relevant provisions, and if they do not fall within the scope of these provisions, the explicit consent of the data subjects is sought.
Overseas transfer: As a rule, the "COMPANY" does not transfer data abroad. However, it may be possible for data and documents processed by the "COMPANY" to be stored on computers located outside the Company, for e-mails to be sent, and for records to be accessed from these computers, and for the databases of the systems and/or e-mail providers where this data is stored and transferred to be located abroad. In addition, especially in the organization of international events, there may be a necessity to transfer personal data abroad for hotel accommodations, obtaining visas, purchasing airline tickets, and the execution and planning of the international event. In this case, the transfer will be made in compliance with the provisions of Article 9 of the DPL.
Your personal data is shared with authorized public institutions and organizations, judicial authorities, enforcement authorities, law enforcement units, and suppliers, business partners, and shareholders from whom contracted products and/or services are received, for the purposes shown in this Policy and by the means herein. The table showing the parties with whom data is shared is below:
| Persons to Whom Data May Be Transferred | Definition | Purpose |
| Business Partner | Parties with whom the company establishes a business partnership while conducting its commercial activities | Sharing of personal data limited to ensuring the fulfillment of the purposes for which the business partnership was established |
| Shareholders | Shareholders who are authorized to design the company's commercial strategies and auditing activities according to the relevant legislative provisions | Sharing of personal data limited to the purposes of designing the company's commercial strategies and auditing |
| Company Officials | Board members and other authorized persons | Sharing of personal data limited to the purposes of designing the company's commercial strategies, ensuring top-level management, and auditing |
| Legally Authorized Private Law Persons | Private law persons legally authorized to receive information and documents from the company | Sharing of data limited to the purpose requested by the relevant private law persons within their legal authority |
| Legally Authorized Public Institutions and Organizations | Public institutions and organizations legally authorized to receive information and documents from the company | Sharing of personal data limited to the purpose of the relevant public institutions and organizations' request for information |
No data transfer is made that does not concern the company's purposes. For example, even if we have obtained it with your consent, your IP address information or vehicle license plate information is not shared with any third party, including the persons and institutions shown above. The exception to this determination is when the transfer of said data is mandated by legislation, or is mandatory for a criminal investigation, or is requested by an official authority based on legislation and with justification.
7. RIGHTS OF THE DATA SUBJECT
Within the scope of the DPL, the data subject;
How Can You Exercise Your Rights?
Data subjects can submit their rights listed above to our Company using the following methods by filling out the application form published at https://temaservis.com or which can be obtained from the "COMPANY" headquarters.
In the application procedure, the "COMPANY" carries out its transactions within the scope of the Communiqué on the Procedures and Principles of Application to the Data Controller. In this context, the application must be made in accordance with Article 5 of the said communiqué.
After the form is completely filled out;
In the application;
The "COMPANY" will conclude the requests of data subjects regarding their rights listed above, which they will submit in writing or through other methods to be determined by the Board, as soon as possible and within thirty days at the latest from the date of submission. The applications of data subjects may be charged within the framework of the tariffs published by the Board. In accordance with Article 7 of the relevant Communiqué, if the data subject's application is to be answered in writing, no fee is charged for up to ten pages. A transaction fee of 1 Turkish Lira may be charged for each page over ten pages. If the response to the application is given in a recording medium such as a CD or flash drive, the fee that can be requested by the data controller cannot exceed the cost of the recording medium.
For the purpose of responding to applications made by data subjects, the "COMPANY" may request additional information and documents to verify the identity of the applicant, to prevent the unlawful transmission of another person's personal data to unrelated persons, and to clarify the applicant's request. If such information and documents are not shared, the data subject's application may not be answered.
It is of serious importance to confirm that the application was made by the "identity owner" and/or an authorized person. Since the purpose is the protection of personal data, providing personal data to third parties and taking action within the scope of the rights explained in Article 11 of the DPL due to the inability to perform identity verification will harm the interest of the data subject that needs to be protected. For this reason, we hope that you will understand our sensitivity regarding identity verification procedures and assist our Company.
The "COMPANY" concludes the requests as soon as possible and within 30 days at the latest. The result of the evaluation is notified to the data subject in writing or electronically, and if the request is accepted, the necessary action is taken in accordance with the DPL.
In cases where the applications of data subjects are rejected, the response given is found to be insufficient, or the application is not responded to in time, the data subject may file a complaint with the Personal Data Protection Board within 30 days from the date they learn of the response, in accordance with Article 14 of the DPL.
8. LEGAL EXCEPTIONS AND EXPLICIT CONSENT EXPLANATION IN THE PROCESSING OF PERSONAL DATA AND SPECIAL CATEGORIES OF PERSONAL DATA
It is desired that the "COMPANY" adopts the method of applying for the "explicit consent" of the data subjects as a principle. Considering the processing purposes and conditions stated in this Policy, there is no need to obtain the consent of the data subjects for data processing conditions that fall within the scope of legal exceptions.
However, this situation should not be interpreted under any circumstances as the "COMPANY" will not benefit from the exception provisions and/or will choose the path of obtaining explicit consent in every case.
9. INFORMATION ON THE PROCESSING OF PERSONAL DATA
9.1. Channels Where Personal Data is Obtained
Our company mainly obtains personal data from the following channels:
Depending on technological developments, new additions may be made to the above personal data collection channels by the "COMPANY", or the use of some of the existing channels may be abandoned. In such cases, the correct expression of the channels used will be ensured by updating the Policy to maintain transparency and accountability.
9.2. Classification of Personal Data
The categorization of personal data is extremely important for compliance with the legislation. Our legislation mainly gathers personal data under two categories: personal data and special categories of personal data. We have made a categorization according to data types under these categories.
The categories of personal data and special categories of personal data of the "COMPANY" are shared in the table below:
| PERSONAL DATA CATEGORIZATION | EXPLANATIONS |
| Identity Information | Information about the person's identity in documents such as driver's license, identity card, residence permit, passport, marriage certificate. |
| Contact Information | Information for contacting the data subject, such as phone number, address, e-mail. |
| Family Members and Relatives Information | Information about the family members and relatives of the personal data subject processed to protect the legal interests of the Company and the data subject, or related to the products and services we offer. |
| Physical Space Security Information | Personal data related to records and documents such as camera recordings, fingerprint records taken during entry to and stay in the physical space. |
| Transaction Security Information | Your personal data processed to ensure our technical, administrative, legal, and commercial security while conducting our commercial activities. |
| Financial Information | Personal data processed related to information, documents, and records showing any financial result created according to the type of legal relationship our Company has established with the personal data subject. |
| Personnel Information | Personal data processed related to information, documents, and records showing any financial result created according to the type of legal relationship our Company has established with the personal data subject. |
| Employee Transaction Information | Personal data processed related to any transaction carried out by our employees or natural persons in a working relationship with our Company in connection with their work. |
| Employee Performance and Career Development Information | Personal data processed for the purpose of measuring the performance of our employees or other natural persons in a working relationship with our Company and planning and executing their career development within the scope of our Company's human resources policy. |
| Fringe Benefits and Interests Information | Personal data processed for the planning of fringe benefits and interests we offer and will offer to our employees or other natural persons in a working relationship with our Company, determining the objective criteria for entitlement to these, and tracking their entitlements. |
| Legal Transaction and Compliance Information | Personal data processed within the scope of determining and pursuing our legal receivables and rights, fulfilling our debts, and complying with our legal obligations and Company policies. |
| Audit and Inspection Information | Personal data processed within the scope of our Company's legal obligations and compliance with Company policies. |
| Special Categories of Data | Data related to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. |
| Request/Complaint Management Information | Personal data related to the receipt and evaluation of any request or complaint directed to our Company. |
| Reputation Management Information | Information collected to protect the commercial reputation of our Company and the evaluation reports created and actions taken related to it. |
| Incident Management Information | Personal data processed for the purpose of taking the necessary legal, technical, and administrative measures against incidents that develop to protect the commercial rights and interests of our Company and the rights and interests of our students. |
9.3. Data Subject Classification
The "COMPANY"'s classification of data subjects is shown in the table below:
| Data Subject Classes | Description |
| Customer | Refers to natural persons who benefit from the products and services offered by the Company. |
| Employee Candidate | Refers to natural persons who apply for a job by sending a resume to the Company or by other methods. |
| Shareholder, Official, Employee of Company Business Partners | All natural persons, including employees, shareholders, and officials of natural and legal persons (such as business partners, suppliers) with whom the Company has any kind of business relationship. |
| Employee/Intern | Natural persons who perform services with a work contract in the Company. |
| Potential Customer | Natural persons who have requested or shown interest in using the Company's products and services, or who have been evaluated as having this interest in accordance with commercial custom and the rules of honesty, and who have the potential to become customers. |
| Visitor | All natural persons who enter the physical premises owned by the Company for various purposes or visit its websites for any purpose. |
| Third Parties | Refers to natural persons other than the data subject categories listed above and the company's employees. |
10. RETENTION AND DISPOSAL OF PERSONAL DATA
The "COMPANY" stores the personal data of the data subjects whose data it processes in electronic and physical environments by taking the necessary technical and administrative security measures.
The retention period of personal data by the "COMPANY" is calculated by taking into account the periods determined in the relevant legislation.
In the event that the purposes for processing personal data, which would eliminate the conditions for processing personal data in the DPL, cease to exist, personal data will be disposed of by the "COMPANY". These disposal procedures are carried out ex officio at 6-month intervals in accordance with the provisions of the relevant legislation, or are concluded if the requests from data subjects are found to be appropriate. In accordance with the legislation, the "COMPANY" will fulfill the data subject's requests for deletion and/or destruction within 30 days at the latest, unless another period is stipulated in the legislation, and will inform the data subject.
The records related to the disposal of Personal Data will be kept by the "COMPANY" for a period of 3 years. The periods stipulated in special legislation are reserved, and if these periods change due to amendments in the DPL and related legislation, the current periods will be applied.
The "COMPANY" uses deletion, anonymization, or destruction disposal techniques.
The processes related to disposal are carried out and decided by the DPL Commission.
11. OBLIGATION TO INFORM
In accordance with Article 10 of the DPL, the "COMPANY" will fulfill its obligation to inform as mentioned in the DPL by presenting the following information to the relevant data subjects during the acquisition of personal data:
The "COMPANY" prepares appropriate information notices and presents them to the relevant persons to fulfill its obligation to inform while carrying out its activities.
12. MEASURES REGARDING THE SECURITY OF PERSONAL DATA
The "COMPANY" shows all kinds of reasonable care and diligence in ensuring the confidentiality and security of the personal data it processes, with the sense of responsibility that comes with being a well-established company. The "COMPANY", in addition to the requirements of the relevant legislation, takes the necessary technical and administrative measures at a reasonable level to ensure data privacy and security within the framework of Article 12 of the DPL. With these administrative and technical security measures, it is aimed to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure that personal data is preserved at an appropriate security level.
In the event that personal data is processed on its behalf by another natural or legal person (data processor), the "COMPANY" will take the necessary measures to ensure that the above-mentioned measures are also taken by the relevant data processors.
In case of unlawful acquisition of personal data by third parties, it will notify the data subjects, the Board, and other relevant public institutions and organizations in accordance with the provisions of the relevant legislation.
While taking measures for the security of personal data, the Personal Data Security Guide (Technical and Administrative Measures) published by the Board and the decisions of the Board are taken into consideration.
Administrative Measures
Technical Measures
13. PROCESSING OF PERSONAL DATA COLLECTED THROUGH COOKIES
Our Company uses Cookies to improve the functioning and use of our web pages or mobile applications and strives to make the time you spend on our digital platforms more efficient and enjoyable.
In addition, we use some cookies to remember the choices you make on our websites and mobile applications, thereby providing you with an improved and personalized experience tailored to your preferences. Your personal data is processed and transferred through the cookies on our digital platforms.
In accordance with Article 12 of the DPL, necessary technical and administrative measures are taken by our Company to ensure the security of personal data collected through cookies.
For detailed information, you can access our cookie policy using the link https://temaservis.com.
14. TRAINING AND SUPERVISION OF EMPLOYEES AND DATA PROCESSORS ON DPL
The company provides its employees with the necessary awareness training to fulfill the obligations stipulated by the legislation within the scope of personal data protection law and to protect the rights of the data subject. It is ensured that new employees joining the company also receive this training. Professional support is received in both internal and external training and audit processes.
The company also carefully selects its data processors, presents the fulfillment of their DPL compliance as a condition of business processes, and periodically questions the DPL compliance status of the data processors. In this context, the company signs the necessary contracts and commitment letters with the data processors, follows their implementation, and terminates its contractual relationship with data processors who do not meet the conditions.
15. IDENTITY OF THE DATA CONTROLLER
Information regarding the identity of the data controller for any personal data processing activity falling within the scope of this policy is provided below.
Identity of the Data Controller
Company Name/Title : Tema İş Makinaları Servis Ltd. Şti.
Tax No : Ostim Tax Office, 8370030462
Address : Ahievran Cad. No:99 Ostim, Yenimahalle/ANKARA
Phone : +90 (530) 392 32 05
E-Mail : tema@temaservis.com
Website : https://temaservis.com
16. ENTRY INTO FORCE
This Policy, issued by the Company, has entered into force on the date of its publication on the website and has been made public. In case of a conflict between the current legislation, especially the Law, and the regulations set forth in this Policy, the provisions of the legislation shall apply.
The Company reserves the right to make changes to the Policy in parallel with legal regulations. You can access the current version of the Policy at the internet address (https://temaservis.com).
Last Update Date:
```
