Personal Data Protection, Storage and Destruction Policy

1. OBJECTIVE, SCOPE AND DEFINITIONS

This Policy applies to all and any real person customers of Qua Granite AŞ (the Company) and its main shareholder Qua Yapı and its subsidiaries under its control and is based on the accepted basic principles regarding personal data protection, processing and destruction. The purpose of this policy is to determine the principles regarding the protection and confidentiality of personal data of potential and existing customers, suppliers, visitors, employees, employee candidates and third parties in the status of real or legal persons within the scope of the Personal Data Protection Law No. 6698 (KVKK).

The meanings of the following terms in this text refer to the definitions specified in the Law No. 6698, the Regulations and Communiqués issued in relation to this Law and are given below:

- Explicit Consent: Consent on a specific subject, based on information and expressed with free will,

- Anonymization: Making personal data unable to be associated with a specific natural person by losing its nature and changing this situation in an irreversible way,

- Personal Data Owner: The natural person whose personal data is processed,

- Personal Data: Any information relating to an identified or identifiable natural person,

- Sensitive Personal Data: Data that may cause discrimination or victimization of the person concerned (such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction),

- Processing of Personal Data: All kinds of operations performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system,

- Personal data retention and Destruction: The process of determining the maximum period of time required for the purpose for which personal data are processed and the process of deletion, destruction and anonymization,

- Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for managing the place where the data is kept systematically (data recording system),

- Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller,

- Data recording system: The recording system where personal data is structured and processed according to certain criteria,

- Contact Person: Refers to the real person notified by the data controller at the time of registration to the Registry for the communication to be established with the Authority regarding the obligations of the legal entities resident in Turkey and the non-resident legal entity data controller representative within the scope of the Law and the secondary regulations to be issued based on this Law.

Qua Granite AŞ;

- To protect the confidentiality of personal data belonging to customers, employees, business partners and third parties, regardless of whether they are in physical and/or electronic media,

- Take appropriate administrative and technical measures to ensure confidential and secure processing,

- It undertakes to obtain and process personal data securely, in accordance with legal and legitimate purposes and with due diligence.

GENERAL PRINCIPLES

The general principles applied by Qua Granite AŞ in the process of processing personal data are explained below:

1. Confidentiality

The Company takes as a basis that the processing of personal data is carried out in complete confidentiality. In this context, it prevents any unauthorized access to personal data to the extent possible, implements all possible technical and administrative measures within its structure and periodically conducts audits in this regard.

1. Compliance with the Law and Good Faith

The Company processes the data obtained in accordance with the law and good faith within the limits stipulated by the Law. Qua Granite is transparent about the information it collects and uses about customers, potential customers, employees, business partners and applicants.

1. Being Accurate and Up-to-Date When Necessary

The Company ensures that the processed data is kept complete and accurate and updated when necessary, taking into account the fundamental rights of data subjects and their legitimate interests. In case the data is outdated, it makes the necessary arrangements to determine the need for correction, modification, updating or deletion.

1. Processing for Specific, Explicit and Legitimate Purposes

Personal data are used only for the purpose for which they were collected and for which the natural person was informed. Although the Company processes personal data for specific, explicit and legitimate purposes, it is not processed for any other purpose other than the processing and collection purposes explained to the data subjects. The personal data processed by the Company is directly related and necessary for the service provided to the data subject. 

1. The transaction must be relevant, limited and proportionate to its purpose

Personal data processed by the Company is processed consistently for specific purposes and with a reasonable limitation in this context. Personal data are not collected for possible future data processing purposes and are not used, processed or transferred in a manner contrary to the purpose of collection. In accordance with the minimum data principle, the company processes personal data within the purposes for which it was collected and avoids the processing of personal data that is not needed.

1. Preservation for the Required Period

In the event that the main purpose requiring the processing of personal data disappears and there is no longer any need for such data, such data shall be deleted, destroyed or anonymized. Personal data are stored for the period stipulated and determined by the relevant legislation. If the retention period determined by the legislation expires, it is deleted, destroyed or anonymized by the Company from systems, devices and physically kept media through periodic checks.

1. Informing the Data Subject

The Company informs the data subject accurately and properly about the processing of personal data. In addition, when necessary, it obtains the consent of the data subject for the relevant transaction, and offers the option to withdraw the consent given at any time or to make a request regarding the data. In the event that the relevant data subject withdraws his/her consent, the Company handles the data belonging to the person within the scope of other principles specified in this Policy. In this direction, they will be able to benefit from the Data Owner Application Form, which can be accessed at www.quagranite.com.tr.

1. PROCESSING OF PERSONAL DATA

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the personal data subject must be related to a specific subject, based on information and free. The data is processed within the scope of the explicit consent of the owner and for the specified purposes. As a rule, in the presence of the following conditions, it is not necessary to obtain the explicit consent of the data subject:

- The personal data of the data subject shall be processed in accordance with the law, as expressly stipulated in the law. In cases where data processing is permitted by law, data may be processed limited to the reasons and data categories specified in the relevant law.

- The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect his/her or another person's life or physical integrity.

- Provided that it is directly related to the establishment or performance of a contract, personal data may be processed if it is necessary to process personal data of the parties to the contract (provided that the person whose data will be processed based on the establishment or performance of the contract is one of the parties to the contract).

- Personal data of the data subject may be processed if data processing is mandatory for the fulfillment of legal obligations by the Company.

- Personal data may be processed if the personal data has been made public by the data subject.

- Personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise or protection of a right.

- Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of the company.

1. Special Categories of Personal Data

The Law defines race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade unions, sexual life, criminal conviction and security measures, and biometric and genetic data as sensitive personal data. Accordingly, special categories of personal data may be processed by taking adequate administrative and technical measures determined by the Board and in the presence of the following conditions.

• Sensitive personal data other than health and sexual life may be processed without seeking the explicit consent of the data subject if there is an explicit provision regarding the processing of personal data in the law to which the activity is subject. Otherwise, the explicit consent of the data subject shall be obtained for the processing of such special categories of personal data.
• Special categories of personal data relating to health and sexual life may be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking explicit consent. Otherwise, the explicit consent of the data subject shall be obtained for the processing of such special categories of personal data.

1. SECURITY AND DESTRUCTION OF PERSONAL DATA

1. Transfer of Personal Data

Even without the explicit consent of the personal data owner, if one or more of the following conditions exist, personal data may be transferred to our suppliers and business partners with whom we cooperate domestically or abroad and from whom we receive outsourced services or support; legally authorized public institutions and private persons within the scope of their authority by taking all necessary security measures, including the methods stipulated by the Board.

• The relevant activities regarding the transfer of personal data are clearly stipulated in the laws,
• The transfer of personal data by the Company is directly related and necessary for the establishment or performance of a contract,
• The transfer of personal data is mandatory for our Company to fulfill its legal obligation,
• Transfer of personal data by our Company limited to the purpose of publicization, provided that the personal data has been made public by the data owner,
• Transfer of personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company or the data subject or third parties,
• It is mandatory to carry out personal data transfer activities for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject,
• It is necessary for the protection of the life or bodily integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.

1.Storage and Destruction of Personal Data

In addition to the aforementioned articles, personal data may be transferred to foreign countries declared by the Board to have adequate protection ("Foreign Country with Adequate Protection") in the presence of any of the above conditions. In the absence of adequate protection, in accordance with the data transfer conditions stipulated in the legislation, personal data may be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the Personal Data Protection Board has permission ("Foreign Country Where the Data Controller Undertakes Adequate Protection").

The Company retains the personal data processed by the Company only for the period stipulated in the relevant legislation and laws or required by the purpose of personal data processing. In this context, a "Personal Data Retention Period Table" has been created for the retention periods of personal data based on the principles contained in the Policy.

Qua Granite AŞ undertakes to announce the "Personal Data Retention Periods Table" to all its employees and to keep it in an easily accessible area.

All transactions regarding the deletion, destruction and anonymization of personal data are recorded and such records are kept for at least three years, excluding other legal obligations.

1. ENFORCEMENT and IMPLEMENTATION

This Policy entered into force on 01.11.2020. In the event that all or certain articles of the Policy are updated, the updates enter into force on the date of their publication. The Policy is published in its most up-to-date version on https://qua.com.tr/.