KVKK Policy

Protection of personal data is one of the basic principles of QUA GRANITE HAYAL YAPI VE ÜRÜNLERİ SANAYİ TİCARET A.Ş.’NİN (“QUA GRANITE”). QUA GRANITE conducts the process of complying with the Law on Protection of Personal Data Numbered 6698 (“LPPD/The Law”) with the capacity of Data Controller with a great solicitude and fulfills obligations specified in all relevant legislations especially including the Law.

Policy on Protection of Personal Data (“Policy”) is issued considering international regulatory and guiding documents in this field in accordance with the LPPD and all directives and other legal regulations on personal data.

QUA GRANITE provides necessary trainings to its employees in order to have an awareness for protection of personal data.

1. PURPOSE OF THE POLICY

This policy is established by QUA GRANITE to inform data owners about security measures that are taken to protect personal data processing activities carried out within the company and its branches and protect data with the purpose of fulfilling the obligation to enlighten as specified in the Article 10 of the Law.

In addition, this policy also describes informing data owners in the most transparent manner for rights and requests of data owners as specified in the Article 11 of the Law.

2. SCOPE OF THE POLICY

This Policy includes all personal data of employees, interns, employees/intern candidates, customers, potential customers, visitors, suppliers, extraneous service providers and other 3rd parties that are processed within QUA GRANITE and its branches through partly or wholly automated ways or nonautomated ways on condition of being a part of any data recording system.

3. DEFINITIONS

Personal Data: Any kind of information belonging to a real person whose identity is determined or determinable.

Private Personal Data: Private personal data contains information on race, ethnic origin, political thought, philosophic belief, religion, sectarian or other beliefs, dress, membership to a foundation, association or trade union, health, sexual life, penal sentence and security measures and biometric and genetic data.

Express Consent: Consent for a certain subject that is based on information and expressed with free will.

Data Controller: Real or legal person who determines purposes and means of personal data processing and is responsible for establishing and managing data recording system.

Relevant Person/Data Owner: Real person whose personal data is processed.

Personal Data Processing: Any kind of process conducted for data, such as obtaining, recording, storing, keeping, changing, reorganizing, disclosing, transferring, taking over, classifying personal data, making them obtainable or preventing use through partly or wholly automated ways or nonautomated ways on condition of being a part of any data recording system.

Data Recording System: Recording system in which personal data is configured and processed according to certain criteria.

Anonymization: Making personal data nonassociated with a real person whose identity is or can be determined in any way even by matching it with other data.

The Council: The Council of Protection of Personal Data.

The Institution: The Institution of Protection of Personal Data.

Data Processor: The real or legal person who processes personal data on behalf of the data controller based on authorization given by the controller.

Contact Person: The person related to the data controller or person who is responsible for enabling communication with the Institution of Protection of Personal Data.

4. BASIC PRINCIPLES

QUA GRANITE complies with following principles to ensure personal data is processed and protected in accordance with principles and procedures provided in the LPPD and other laws especially including the Article 20 of the Constitution.

4.1. Principle for Abiding by the Law and Honesty Rules

Considering reasonable expectations of relevant persons, QUA GRANITE processes data in the least possible amount without going out of data processing purposes. It shows due diligence so that data processing activity is transparent for the relevant person and fulfills its obligation to inform.

4.2. Principle for Accuracy and Up-to-datedness of Personal Data

QUA GRANITE prioritizes accuracy and up-to-datedness of personal data.

4.3. Principle for Processing Personal Data with Certain, Explicit and Legitimate Purposes

QUA GRANITE processes personal data with certain, explicit and legitimate purposes. QUA GRANITE does not process personal data for any purpose other than those specified to the relevant person.

4.4. Principle for Personal Data Being Connected and Limited to Purpose of Processing and Being Deliberate

QUA GRANITE limits data processing activity to the data that is adequate and required to realize the purpose only. It avoids from data that is not eligible to realizing the purpose and is not needed.

4.5. Storage of Personal Data for a Required Time Only

QUA GRANITE stores personal data for a period required for the purpose of processing personal data and provided in the relevant regulation. If a period for storage of personal data is provided in the relevant regulation, data is stored for this period; if not provided, data is stored for a period required for the purpose of processing.

***The Table for Process-Based Data Storage Periods

Process	Period of Storage
Data about Personnel File Kept within the scope of the Labor Law	10 years as of the personnel’s leave of employment
Data about Assessment Process of Job Application/Internship Application	Maximum 1 year as of the application date
Sustaining Contractual Relations	10 Years as of Termination of Agreement
Camera Records	1 month
Visitor Records	2 years
Voice Records of Call Center	1 year
Personal Data of Suppliers	10 Years as of End of Legal Relationship
Data of Customers	10 Years as of End of Legal Relationship
Visual and Audio Records Obtained in Events and Organizations	10 years
Corporate Communication Activities	10 Years as of End of Activity
Data Collected within the Scope of the Regulation on Occupational Health and Safety	15 Years as of End of Business Relationship
Processes of Deletion, Disposal, Anonymization and Recording	3 years as of date of transaction
Data Processed in accordance with Corporate Communication Activities for Employees	10 Years As of End of Business Relationship

5. CATEGORIZATION OF DATA PROCESSED BY THE COMPANY

Categories of personal data specified below are processed by QUA GRANITE in accordance with the principles of the Article 4 of the Law on processing of personal data as based on and limited to at least one of the conditions for data processing as stipulated in the Article 5 and 6 of the law in line with the purpose of our company for processing personal data by informing relevant persons as per the Article 10 of the Law and secondary regulation;

• Identity Information
• Contact Details
• Personnel Information
• Financial Information
• Information on Occupational Experience
• Information on Legal Transactions
• Information on Customer Transactions
• Information on Security of Physical Place
• Information on Visual and Audio Records
• Health Information
• Information on Philosophical Belief, Religion, Sectarian and Other Beliefs
• Information on Penal Sentence and Security Measures
• Information on Security of Transactions
• Marketing Information
• Biometric Data (Finger Print)
• Other Information (Family Information, Visitor Information, Vehicle Plate Information, etc.)

 

6. METHODS TO COLLECT PERSONAL DATA

Processed personal data may change depending on type and nature of our products and services. We may collect your personal data verbally, electronically or in written form with use of automated or nonautomated methods through our offices, call records, website, social media, branches and dealerships that we have a business relationship and similar ways.

As long as you benefit from our products and services, your personal data may be processed and updated when necessary to ensure accuracy and up-to-datedness of your data. In addition, your personal data may also be processed when you visit campuses and buildings, branches and stores of QUA GRANITE physically or use call center, visit websites and/or other social and digital media or participate in events, seminars, organizations and trainings that are organized by QUA GRANITE in order to benefit from our products and services.

7. PURPOSE FOR PROCESSING PERSONAL DATA

Your Personal Data is processed by QUA GRANITE for the main purposes specified below and within relevant sub-purposes within the scope of the terms for Personal Data Processing as set forth in the Articles 5 and 6 of the Law;

7.1. Within the scope of planning and executing the policy and processes of human resources;

• Fulfilling obligations arising from labor contract and regulation for employees
• Conducting processes for fringe benefits and interests for employees
• Conducting processes for employee satisfaction and loyalty
• Executing labor contracts
• Implementing wage policy
• Applying title changes
• Carrying out training activities
• Conducting performance assessment processes
• Conducting application processes of employee candidates
• Conducting processes for selection and position processes of employee candidates / interns

 

7.2. Within the scope of planning and carrying out activities of corporate communication and management;

• Carrying out communication activities
• Conducting assignment processes
• Carrying out audit and ethical activities
• Carrying out internal audit / investigation / information activities
• Organization and event management

 

7.3. Within the scope of performing necessary works by company departments to carry out commercial activities and conducting relevant business processes;

• Carrying out financial and accounting operations
• Carrying out and auditing business activities
• Executing agreements with business partners, suppliers and extraneous service providers
• Executing dealership agreements
• Carrying out business continuity activities
• Conducting product and service sales processes

 

7.4. Within the scope of planning and carrying out strategies of the company, conducting marketing processes and raising brand recognition;

• Receiving and assessing suggestions for improving business processes
• Carrying out strategical planning activities
• Conducting investment processes
• Increasing rates of profit and sales
• Preserving commercial interests of the company
• Conducting advertisement, campaign and promotional processes through digital channels and other media
• Carrying out marketing analysis activities
• Carrying out Social Media and Press Activities

 

7.5. Within the scope of conducting production and sales processes for goods and services;

• Determining our production costs correctly
• Assessing products and designs sellable in the market
• Determining sales potential of products and guiding production and design activities
• Carrying out activities of logistics, shipping and storage management
• Conducting supply chain management processes
• Conducting operations for goods and services provided for the company
• Enabling communication among suppliers, extraneous service providers and customers
• Auditing compliance of products and services with relevant standards and requirements
• Performing image and design works

 

7.6. Within the scope of conducting processes of customer relations management;

• Providing after-sale support services for goods and services
• Carrying out activities for customer satisfaction
• Following up demands/complaints

 

7.7. Within the scope of ensuring legal, technical and commercial business safety of the company and relevant parties that have a business relationship with the company;

• Carrying out occupational health and safety activities
• Ensuring security of physical place
• Conducting emergency management processes
• Ensuring security of company operations
• Keeping and tracking visitor records
• Conducting information security processes
• Conducting access authorizations
• Conducting risk management processes
• Ensuring security of data controller operations

 

7.8. Within the scope of fulfilling legal obligations;

• Carrying out activities in accordance with the regulation
• Carrying out storing and archiving activities
• Informing authorized persons, institutions and organizations
• Following up and conducting legal operations

7.9. Within the scope of planning and carrying out health services for employees;

• Taking measures required to determine and prevent occupational disease

 

7.10. Within the scope of checking the HES Code for employees and visitors,

• Prevent spread of COVID-19 outbreak
• Ensuring measures for the process or fighting against the outbreak are applied

 

7.11. Within the scope of conducting public offering process and investment relationships;

• Ensuring Communication between the Partnership and Investors
• Keeping Records of Correspondences between the Partnership and Investors and Other Information and Documents
• in a Healthy, Safe and Updated Manner
• Answering Questions of Investors about Their Partnership Activities and Financial Status
• Responding to Written Requests of Company Shareholders for Information about Partnership
• Preparing Documents to Be Submitted for Information and Review of Shareholders about General Assembly Meeting
• Taking Measures to Ensure General Assembly Meeting Is Held in accordance with the Relevant Regulation, Articles of Incorporation and Other In-Partnership Regulations
• Implementing Corporate Management Principles
• Ensuring Obligations Arising from the Capital Market Regulation Including Any Matter Related to Corporate Management and Public Disclosure Are Fulfilled
• Preparing Activity Reports of Investor Relations and Reporting to the Board of Directors of the Partnership

 

8. TERMS FOR PROCESSING PERSONAL DATA

8.1. Taking Express Consent of the Personal Data Owner: As a rule, personal data cannot be processed without express consent of the data owner. Data owner gives his/her express consent after being informed on relevant subject and granting his/her free will. However, personal data may be processed without express consent of the data owner if any of following matters exists:

8.2. Specified in laws expressly: Personal data may be processed without consent of the owner if laws have an express stipulation about processing of personal data.

8.3. Failure to take express content of the relevant person due to actual impossibility: Personal data of the data owner may be processed if it is required to process personal data of a person who cannot explain his/her consent or whose consent cannot be recognized due to actual impossibility in order to protect his/her or another person’s life or body integrity.

8.4. Being directly related to establishment or execution of an agreement: Personal data may be processed if it is required to process personal data of parties to an agreement provided that it is directly related to establishment or execution of the agreement.

8.5. Capability of the Data Controller of fulfilling its legal obligation: Personal data of the data owner may be processed if it is required for QUA GRANITE as data controller to fulfill its legal obligations.

8.6. Data made public by data owner: Personal data that is disclosed by the data owner to the public in any way or is available to access of everyone as a result of being public may be processed by QUA GRANITE as limited to the purpose of making public.

8.7. Mandatory data processing to establish, use or protect a right: Personal data of the data owner may be processed if it is required to process data in order to establish, use or protect a right.

8.8. Mandatory data processing for legitimate interests of the Data Controller: First of all, QUA GRANITE determines the legitimate interests that it will obtain by processing personal data and reviews potential effects of personal data processing on rights and freedoms of the data owner, then processes personal data if it deems that balance of interest of the owner is protected.

9. PROCESSING OF PRIVATE PERSONAL DATA

QUA GRANITE processes private personal data in following conditions by taking any kind of administrative and technical measures through methods to be determined by the Council in accordance with the principles set forth in the Law and Policy:

1. Private personal data except health and sexual life may be processed without express consent of the data owner if laws include an explicit provision on processing. Express consent of the data owner is sought in cases where it is not specified in laws explicitly.
2. Private personal data on health and sexual life may be processed by persons who are responsible for keeping secrets or authorized institutions and organizations: without express consent of the data owner for protection of public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. Otherwise, expressive consent of the data owner is sought.

10. ENLIGHTENING PERSONAL DATA OWNER

QUA GRANITE is obliged to inform data owner about purposes for processing personal data, persons that personal data is shared with and purposes for sharing, method to collect personal data and legal reasons for collecting and rights specified in the Article 11 of the Law. QUA GRANITE is capable of fulfilling its obligation to enlighten with use of physical or electronic environments such as verbal, written, voice records and call center.

 

11. SHARING PERSONAL DATA AND PURPOSE FOR SHARING

Your personal data processed by QUA GRANITE may be transferred to local and foreign extraneous service providers, suppliers, relevant real persons and legally authorized public institutions and organizations and legally authorized private legal persons within their powers in accordance with provisions of the articles 8 and 9 of the Law on transfer of personal data in line with Purposes for Data Processing specified in this Policy.

Express consent of the personal data owner is required to transfer personal data and QUA GRANITE may transfer personal data by taking all security measures including methods determined by the Council if at least one of the conditions below exists.

1. Specified in laws expressly,
2. Being directly related to establishment or execution of an agreement,
3. Capability of the Data Controller of fulfilling its legal obligation,
4. Limited to the purpose of making public provided that personal data is made public by the data owner,
5. Establishment, use or protection of rights of the Data Controller, data owner or third parties,
6. Protection of legitimate interests of the Data Controller provided that fundamental rights and freedoms of the data owner are protected,
7. Protection of the data owner’s or another person’s life or body integrity when the person cannot explain his/her consent or his/her consent cannot be recognized due to actual impossibility.

In addition to the matters above, personal data may be transferred to foreign countries that are declared by the Council to have adequate protection (“Foreign Country with Adequate Protection”) if any of the matters above exists. In the event that adequate protection cannot be ensured, personal data may be transferred to foreign countries for which data controllers in Turkey and relevant foreign country commits an adequate protection in written and the Council of Protection of Personal Data gives its consent (“Foreign Country with Data Controller Committing Adequate Protection”) in line with conditions for transfer of data as specified in the regulation.

Provided that provisions of the articles 8 and 9 of the Law on processing data are followed, your personal data is shared with;

Extraneous service providers (to receive services in the fields of education, health, accounting, etc.),

• Suppliers of the company (to receive services provided by extraneous suppliers and required to carry out commercial activities of the company)
• Public institutions and organizations that are authorized legally (as limited to purposes demanded by relevant public institutions and organizations within their legal powers),
• Private legal persons that are authorized legally (as limited to purpose demanded by relevant public legal persons within their legal powers),
• Press organizations (to carry out social media and press activities),
• Banks that we cooperate with and
• Independent law offices that we receive support from, courts and other official-legal authorities
• In order to carry out commercial activities requiring QUA GRANITE HAYAL YAPI VE ÜRÜNLERİ SANAYİ TİCARET A.Ş. to participate.

12. MEASURES TAKEN TO PROTECT PERSONAL DATA

QUA GRANITE takes any kind of administrative and technical measures required according to the nature of personal data as per the Article 12 of the Law. Within this scope, it performs necessary audits of have them performed and prevents possession of personal data by third parties through illegal ways and disclose and transfer of such data illegally. In the event that personal data is possessed by third parties through illegal ways although technical and administrative measures required to protect such data are taken, QUA GRANITE shall notify relevant authorities as soon as possible.

13. STORAGE AND DISPOSAL OF PERSONAL DATA

Our company stores personal data processed in accordance with the Article 138 of the Turkish Penal Code and Articles 4 and 7 of the LPPD for a period provided in relevant regulations and laws and required by the purpose of personal data processing. Within this scope, our company determines whether a certain period is provided in the relevant regulation for storage of personal data that is subject to processing. If a legal period is determined, our company acts according to this period. If a legal period is not determined, a period required to realize the purpose of processing and personal data is stored for this period. At the end of determined storage period, personal data is disposed according to periodical periods of disposal or application of the data owner with determined methods for disposal (deletion and/or demolition and/or anonymization).

14. RIGHTS OF PERSONAL DATA OWNERS AND USE OF SUCH RIGHTS

14.1. Rights of the Personal Data Owner

• To learn whether your personal data is processed,
• To request information if your personal data is processed,
• To learn purpose of processing your personal data and personal data is used in accordance with such purposes,
• To know domestic and international third parties that your personal data are transferred to,
• To request correction if your personal data is processed deficiently or incorrectly and request transaction done within this scope to be reported to third parties that your personal data is transferred to,
• To request personal data to be deleted or disposed if reasons for processing are eliminated although they are processed in accordance with provisions of the Law and other laws and request transaction done within this scope to be reported to third parties that your personal data is transferred to,
• To reject if there is a result against you when your processed data is analyzed exclusively through automated systems,
• To request for claim of suffers from any damage arising from illegal processing of your personal data.

 

14.2. Use of Rights of the Personal Data Owner

You can send your applications and requests that are listed above to QUA GRANITE AŞ by filling Data Owner Application Form that you can find at https://qua.com.tr/ ,

• By sending a copy with wet signature to the address of Söke Organize Sanayi Bölgesi Mah. Sokak No: 1 Söke, Aydın by person or through notary public,
• By sending to our registered electronic mail address quagranite@hs03kep.tr with use of registered electronic mail (REM) address and secure electronic signature or mobile signature or sending to our electronic mail address info@qua.com.tr from your electronic mail address that is notified our company before and registered in our system.

The application must contain your name and surname, your signature if your application is in written form, T.R. Identity Number of you are a citizen of Republic of Turkey, nationality, passport number or identity number if you are a foreigner, your residential or business address for notification, your electronic mail address for notification if any, telephone and fax number and request code. Information and documents related to the subject must be added to the application. It is required to deliver matters specified in this paragraph completely to our Company in applications to be prepared without filling application form. Otherwise, application shall be deemed invalid.

Special power of attorney must be granted by relevant person through notary public on behalf of the person who will apply in order for third parties to apply on behalf of relevant persons whose personal data is processed.

Verifying information may be requested to ensure that it is verified by our company that applicant is the relevant person and application results are delivered with the right person. (For example, additional verifications may be requested such as sending message to your registered telephone or phone calls, etc.)

Your request in the application will be concluded in free of charge as soon as possible and not later than 30 days depending on nature of the request. However, the fee determined by the Council of Protection of Personal Data shall be applied by our company if the process requires an additional cost for the company. Necessary operations are performed if your request is accepted. If your request is rejected as a result of investigation and assessment conducted, rejection and its reason are notified you in written or in an electronic environment.

You can find detailed information on application to the data controller and your rights to bring complaint to the council in articles 13, 14 and 15 in the Fourth Section of the Law.

14.3. Rejection of Application of the Personal Data Owner by QUA GRANITE

QUA GRANITE may reject application of the personal data owner in the cases below by explaining the reason as per the Article 28 of the Law:

• Personal data is processed by real persons within the scope of activities related to family members who live with the data owner or in the same house provided that such data is not disclosed to third parties or obligations on data security are fulfilled.
• Personal data is processed for research, planning and statistics with anonymization through official statistics.
• Personal data is processed for artistic, historical, literate or scientific purposes or within the scope of freedom of expression provided that such data does not breach national defense, national security, public safety, public order, economic security, right of privacy or personal rights or does not constitute any crime.
• Personal data is processed within the scope of preventive, protective and informative activities that are carried out by public institutions and organizations that are appointed and authorized by law to ensure national defense, national security, public security, public order or economic security.
• Personal data is processed by judicial or execution authorities for investigation, prosecution, jurisdiction or execution processes.

Provided that the purpose and basic principles of this Law shall be followed and considered in accordance with the Article 28/2 of the Law, the Article 10 specifying the obligation of the data controller to enlighten, Article 11 specifying the rights of the relevant person except right to claim for damages and Article 16 specifying the obligation to be registered in the Registry of Data Controller shall not prevail in following cases:

• Personal data processing is required for prevention of commitment of crime or criminal investigation.
• Personal data that is made public by relevant person is processed.
• Personal data processing is required by public institutions and organizations, professional organizations with nature of public institution that are appointed and authorized by the law for performing audit or regulatory duties and disciplinary proceedings or prosecutions.
• Personal data processing is required to protect economic and financial interests of the Government for budget, tax and financial issues.

 

15. IMPLEMENTING THE POLICY

As data controller, QUA GRANITE is responsible for implementing the policy, following up, coordinating and auditing all operations and actions for process of complying with the Law. Effective legal regulations on processing and protection of personal data will find a field of application first. If there is an inconsistency between the effective regulation and this Policy, QUA GRANITE accepts to apply the effective regulation.

 

16. EFFECTIENESS AND ANNOUNCEMENT OF THE POLICY

This Policy entered into force on 07/07/2021. The version issued and brought into force by QUA GRANITE on 25.06.2018 has been updated with the effectiveness date of this Policy. If all or certain articles of the Policy are updated, updated articles shall enter into force on the date when they are updated. The policy is published at www.qua.com.tr with the latest version.

17. INFORMATION ABOUT DATA CONTROLLER

Title: QUA GRANITE HAYAL YAPI VE ÜRÜNLERİ SANAYİ TİCARET A.Ş.

CRS Number: 0341026431600024

Address: Söke Organize Sanayi Bölgesi Mah. 4.Sokak No:1 Söke, Aydın

Telephone: +90 850 888 07 08

Fax: +90 850 466 06 60

e-mail address: info@qua.com.tr