1. INTRODUCTION
The Regulation on the Deletion, Destruction, or Anonymization of Personal Data (“Regulation”) imposes an obligation on data controllers required to register with the Data Controllers Registry to prepare a personal data storage and disposal policy in accordance with their personal data processing inventory. As Next Plastik Kauçuk Sanayi ve Ticaret Anonim Şirketi (“Company”), we diligently fulfill our obligations arising from the law and secondary legislation. To this end, we regulate the storage and disposal processes of the personal data we process, along with their details, under this Personal Data Storage and Disposal Policy (“Policy”).
As Next Plastik Kauçuk Sanayi ve Ticaret Anonim Şirketi, we place great importance on the processing and protection of all personal data belonging to individuals within the scope of our business activities, including but not limited to customers, potential customers, suppliers, service providers, public institutions and organizations, legal entity representatives and employees, business partners, company shareholders, company employees, job applicants, intern applicants, and interns, as well as representatives and employees of authorized public institutions and private law legal entities. We ensure that personal data is processed and protected in compliance with the Law on the Protection of Personal Data No. 6698 (“KVKK”). To achieve this, our company takes necessary administrative and technical measures in accordance with legal regulations and issued decisions.
This Personal Data Protection, Processing, Storage, and Disposal Policy and its annexes have been prepared by Next Plastik Kauçuk Sanayi ve Ticaret Anonim Şirketi, in its capacity as a data controller, within the framework of the Law on the Protection of Personal Data No. 6698 (“Law”) and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.
2. PURPOSE
The Personal Data Storage and Disposal Policy (“Policy”) has been prepared to establish the procedures and principles that must be followed concerning the storage and disposal activities carried out by our Company.
With this Policy, our Company aims to ensure full compliance with the Law on the Protection of Personal Data, in accordance with the following fundamental principles: The processing of personal data belonging to the relevant individuals mentioned above in compliance with the decisions and principles set forth by the Personal Data Protection Authority (KVK Authority), Adherence to the principles established by the Constitution of the Republic of Turkey, International Agreements, the Law on the Protection of Personal Data No. 6698, and related regulations, Ensuring that relevant individuals can exercise their rights effectively. All storage and disposal activities related to personal data are carried out in compliance with this Policy.
3. SCOPE
Within the scope of our company's activities, the personal data of our customers who purchase products or services, potential buyers of products or services, suppliers, service providers, legal entity representatives and their employees, business partners, company shareholders, company employees, job applicants, intern applicants, interns, authorized public institutions and organizations, as well as representatives and employees of private law legal entities, and other relevant third parties, fall under the scope of this Policy. This Policy applies to all records and environments where personal data is processed, whether by automated means or non-automated means, and to all company activities involving the processing of personal data.
4. ABBREVIATIONS AND DEFINITIONS
Explicit Consent |
Consent given regarding a specific subject, based on information and expressed with free will. |
Recipient Group |
The category of natural or legal persons to whom personal data is transferred by the data controller. |
Anonymization |
The process of making personal data unidentifiable and unlinkable to any specific individual, even when matched with other data. |
Employee |
Includes both company employees and employees hired through suppliers |
Electronic Environment |
Environments where personal data can be created, read, modified, and written using electronic devices. |
Non-Electronic Environment: |
All written, printed, visual, and other formats that are not classified as electronic environments. |
Service Provider |
A natural or legal person providing services to the company under a specific contractual framework. |
Relevant User |
Persons processing personal data within the organization of the data controller or under its authorization and instructions, excluding those responsible for the technical storage, protection, and backup of data |
Relevant Person / Personal Data Subject |
The natural person whose personal data is processed |
Destruction |
The process of deleting, destroying, or anonymizing personal data |
Personal Data Processing Inventory: |
A document created by data controllers that details their personal data processing activities based on their business processes, associating them with processing purposes, legal grounds, data categories, recipient groups, and data subject groups. It also specifies the maximum retention period necessary for the processing purpose, personal data transfers to foreign countries, and the security measures taken to protect personal data. |
Data Recording Environment |
Any environment where personal data is processed, either fully or partially by automated means, or by non-automated means provided that it is part of a data recording system. |
Personal Data |
Any information relating to an identified or identifiable natural person. |
Processing of Personal Data |
Any operation performed on personal data, whether fully or partially automated or non-automated, provided that it is part of a data recording system. This includes collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or preventing the use of data. |
Anonymization of Personal Data: |
The process of making personal data unidentifiable and unlinkable to any specific individual, even when matched with other data |
Deletion of Personal Data: |
The process of making personal data completely inaccessible and unusable for Relevant Users. |
Destruction of Personal Data |
The process of making personal data completely inaccessible, unrecoverable, and unusable by anyone. |
Law |
Law No. 6698 on the Protection of Personal Data |
Board |
The Personal Data Protection Board |
Authority |
The Personal Data Protection Authority. |
Personal Data Contact Person |
A natural person designated during registration to the Registry, responsible for ensuring communication with the Authority regarding obligations under the Law and related secondary regulations. This applies to data controllers established in Turkey, as well as representatives of data controllers not based in Turkey |
Sensitive Personal Data |
Personal data related to an individual’s race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal record, security measures, biometric and genetic data. |
Periodic Disposal |
The process of deleting, destroying, or anonymizing personal data at recurring intervals specified in the Personal Data Storage and Disposal Policy when all conditions for processing personal data under the Law are no longer applicable |
Policy |
The General Policy on the Processing, Storage, and Disposal of Personal Data |
Company |
Next Plastik Kauçuk Sanayi ve Ticaret Anonim Şirketi |
Data Processor |
A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller |
Data Recording System |
A structured recording system where personal data is processed according to specific criteria. |
Data Controller: |
A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
Data Controllers Registry Information System:
|
An information system created and managed by the Authority, accessible via the internet, which data controllers use for registration and other related transactions with the Registry.
|
VERBIS |
The Data Controllers Registry Information System |
Regulations |
The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017 |
5. RESPONSIBILITIES AND DUTY DISTRIBUTION
In accordance with Law No. 6698 on the Protection of Personal Data (KVKK) and related regulations, a Personal Data Contact Person has been designated within the company to ensure compliance with personal data protection legislation, its maintenance, and continuity. The responsibilities and duties of this person have been defined, necessary decisions have been made, and relevant parties have been notified
To ensure the proper implementation of the technical and administrative measures taken under this Policy, to increase the training and awareness of employees in the relevant units, to conduct audits, and to prevent the unlawful processing and unauthorized access to personal data, as well as to ensure the lawful storage of personal data, technical and administrative measures for data security are implemented by the Personal Data Contact Person in all environments where personal data is processed.
6. ENVIRONMENTS WHERE PERSONAL DATA IS RECORDED
Personal data held by our company is recorded in electronic environments such as servers, software used by the company, personal computers, mobile devices (phones, tablets), optical disks, and removable storage devices. Additionally, personal data stored in paper format includes printed forms, contracts between the company and third parties, manual data recording systems (employment contracts, leave forms, occupational safety forms), and personal data stored in written, printed, and visual formats in department cabinets and archive rooms, which are classified as non-electronic physical environments.
All personal data is securely stored in compliance with Law No. 6698 on the Protection of Personal Data, relevant regulations, and international data security principles. Your personal data may be collected, recorded, stored, modified, reorganized, and processed by our company, either fully or partially through automated means or non-automated means, provided that it is part of a data recording system.
7. PROCESSING OF PERSONAL DATA AND GENERAL PRINCIPLES
7.1. Principle of Confidentiality
As explained in this Policy, the data of all individuals, including employees and those in contact with our company, are confidential. Except for the cases specified by law, no one may use, reproduce, copy, transfer to others, or use personal data for purposes other than those determined in this policy and applicable regulations.
7.2. Fundamental Principles
Personal Data processed by our company is handled in compliance with the principles set out in Article 4 of Law No. 6698 on the Protection of Personal Data (KVKK). The company ensures that personal data is processed, protected, deleted, and disposed of in accordance with the following principles and the procedures set forth in the law:
• Compliance with lawfulness and the principle of good faith.
• Ensuring that personal data is accurate and, when necessary, kept up to date.
• Processing personal data for specific, explicit, and legitimate purposes.
• Ensuring that the processing of personal data is relevant, limited, and proportionate to its intended purposes.
• Retaining personal data only for the period required by relevant legislation or necessary for the purposes for which it was processed.
8.CONDITIONS FOR PROCESSING PERSONAL DATA
Personal data processed by our company is handled in accordance with Article 5 of Law No. 6698. As a general rule, personal data cannot be processed without the explicit consent of the data subject. However, in cases where one of the following conditions applies, personal data may be processed without requiring the explicit consent of the data subject:
• Explicitly stipulated by law: The processing of personal data is expressly required by the applicable laws. (Principle of Legality)
• Impossibility to obtain consent: It is necessary to process personal data to protect the life or physical integrity of a person who is unable to provide consent due to actual impossibility or whose consent is legally invalid. (Actual Impossibility)
• Necessary for the performance of a contract: The processing of personal data is essential for the establishment or performance of a contract, provided that the data subject is one of the contracting parties. (Performance of a Contract)
• Compliance with a legal obligation: The processing of personal data is required for the data controller to fulfill its legal obligations. (Legal Obligation)
• Personal data made public by the data subject: The processing of personal data that has been publicly disclosed by the data subject. (Public Availability)
• Necessity for the establishment, exercise, or protection of a legal right: The processing of personal data is mandatory for the exercise or protection of a legal right. (Necessity)
• Legitimate interests of the data controller: The processing of personal data is necessary for the legitimate interests of the data controller, provided that it does not infringe on the fundamental rights and freedoms of the data subject. (Legitimate Interest)
9. CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA
Special categories of personal data processed by our company are handled in accordance with Article 6 of Law No. 6698 on the Protection of Personal Data. Special categories of personal data include information related to an individual’s race, ethnic origin, political opinion, philosophical beliefs, religion, sect or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal record, security measures, biometric, and genetic data.
As stated in the Law, the processing of special categories of personal data is prohibited without the explicit consent of the data subject. Therefore, such data cannot be processed without the explicit consent of the relevant person. However, as specified in the Law, except for personal data related to health and sexual life, other special categories of personal data may be processed without explicit consent if explicitly stipulated by law.
Personal data related to health and sexual life may be processed without the explicit consent of the data subject only under the following conditions:
• For the protection of public health,
• For preventive medicine,
• For medical diagnosis, treatment, and care services,
• For the planning and management of healthcare services and their financing,
• By individuals or authorized institutions and organizations that are under a duty of confidentiality.
Our company processes special categories of personal data in full compliance with Law No. 6698 and other applicable legal regulations, taking adequate measures prescribed by the Personal Data Protection Board.
10. PROCESSING, COLLECTION, AND LEGAL BASIS OF PERSONAL DATA
Personal data may be processed by fully or partially automated means or non-automated means, provided that it is part of a data recording system. Data may be collected through oral, written, or electronic means, including but not limited to application forms, declarations, personnel files, contracts, financial and social rights records, invoicing, purchasing, marketing, planning, quality control, and corporate development activities.
As a general rule, personal data is processed based on the explicit consent of the data subject. However, in cases where one of the following conditions applies, personal data may be processed without requiring explicit consent:
• If the processing is necessary for the establishment or performance of a contract between our company and third parties (natural or legal persons),
• If the processing is required for the company to fulfill its legal obligations,
• If the personal data has been made public by the data subject,
• If the processing is necessary for the establishment, exercise, or protection of a legal right,
• If the processing is necessary for the legitimate interests of the data controller, provided that it does not infringe on the fundamental rights and freedoms of the data subject,
• If the processing is explicitly stipulated by law.
Personal data is processed, collected, and transferred in accordance with Articles 5 and 6 of Law No. 6698 on the Protection of Personal Data and Article 5/1-h of the Communiqué on the Principles and Procedures for Fulfilling the Obligation to Inform, limited to the purposes specified.
11. PRINCIPLES REGARDING THE STORAGE AND DISPOSAL OF PERSONAL DATA
Through this Policy, our company ensures that personal data is stored and disposed of in compliance with relevant legislation, procedures, and legal regulations. Detailed explanations regarding the storage and disposal of personal data are provided below.
11.1. Storage of Personal Data
Article 3 of Law No. 6698 defines the processing of personal data, while Article 4 states that processed personal data must be relevant, limited, and proportionate to the purposes for which they are processed and must be retained only for the period required by relevant legislation or necessary for the processing purpose. Additionally, Articles 5 and 6 of Law No. 6698 outline the conditions for processing personal data.
As detailed in this Policy, personal data within the scope of company activities is stored for the period prescribed by the relevant legislation or as required for the purpose of processing, with appropriate administrative and technical measures in place.
11.2. Legal Grounds for Storing Personal Data
Personal data processed within the scope of our company's activities is stored for the duration specified in the relevant legislation. The retention periods specified by laws governing individuals subject to company activities, secondary regulations, and statutory limitation periods for crimes specified in the laws are observed.
In addition to the legal retention periods, our company considers statutory limitation periods applicable to processed personal data, potential disputes with third parties that may arise from legal relations, corporate memory, and commercial transactions and activities. Beyond the legally mandated periods, the storage and disposal periods of personal data are determined by corporate decisions, considering the company’s legitimate interests and contractual obligations with relevant data subjects.
11.3. Purposes of Storing Personal Data
Our company stores the personal data it processes in compliance with Articles 5 and 6 of Law No. 6698, limited to company activities, and in accordance with the relevant legal regulations. The purposes for storing personal data include:
• Ensuring the continuity of corporate activities and fulfilling obligations within the scope of company operations.
• Conducting manufacturing, marketing, and export operations related to plastic and rubber products, as well as fulfilling obligations related to procurement, sales, and delivery processes.
• For customers who purchase products or services: Ensuring the provision of our products or services to customers, maintaining commercial business processes, ensuring customer satisfaction, fulfilling customer requests and complaints, carrying out purchasing, sales, production, payment, collection, and invoicing transactions, and fulfilling our legal obligations towards the relevant individuals in this context.
• For customers, suppliers, business/solution partners: Carrying out the company's financial, accounting, administrative, legal, and technical business processes, recommending our products, managing customer and portfolio relations, improving service quality, conducting communication, audit, control, and risk management activities, and ensuring occupational health and safety.
• For legal compliance: Making necessary notifications to courts, enforcement offices, consumer arbitration boards, mediators, judicial authorities, and relevant public institutions and organizations, and fulfilling legal obligations.
• For employees and job applicants: Planning and executing human resources processes, fulfilling legal obligations, managing job application processes, creating personnel files, fulfilling obligations related to finance, accounting, administration, and social rights, carrying out the placement processes of job applicants, and determining the company's wage policy.
• For company shareholders and partners: Conducting company management activities, fulfilling legal obligations, promoting the company, and informing relevant individuals.
• For the company’s contractual obligations: Ensuring the execution and performance of contracts made or to be made with customers, potential buyers, suppliers, service providers, employees, consultants, business partners, third parties, and public institutions and organizations.
• For legal disputes: Ensuring the company’s ability to provide evidence in legal disputes with third parties.
• For corporate communication and security: Establishing and maintaining communication with public institutions, organizations, natural and legal persons, corporate representatives, and other stakeholders with whom the company has legal relations; ensuring corporate quality; safeguarding the transaction security of related persons; and facilitating communication through corporate contact information.
• For physical security and workplace monitoring: Ensuring the security of the company’s head office, factory production areas, and annexes, protecting movable property, controlling factory entrance and exit points, tracking company vehicles, monitoring employee attendance as per employment contracts, and overseeing personnel attendance processes.
11.4. Reasons Requiring the Disposal of Personal Data
Personal data is deleted, destroyed, or anonymized upon the request of the data subject by completing an application form, in accordance with the procedures and principles stipulated in the company policy, law, and regulations. Personal data is disposed of in the following cases:
• If the purpose for which the personal data was processed or stored no longer exists.
• If the legal provisions forming the basis for the processing of personal data are amended or repealed.
• If the processing of personal data by the company is based solely on the explicit consent of the data subject, and the data subject withdraws their explicit consent.
• If, in accordance with Article 11 of Law No. 6698, the data subject submits a request to the company for the deletion or destruction of their personal data, and this request is approved by the Personal Data Protection Authority (KVK Authority).
• If the KVK Authority rejects the request made by the data subject for the deletion, destruction, or anonymization of their personal data, if the data subject finds the response insufficient, or if the authority fails to respond within the timeframe stipulated in Law No. 6698, and the data subject subsequently lodges a complaint with the KVK Board, which then approves the request.
• If the maximum retention period required by the relevant legal regulations has expired, and there is no other legal reason to continue storing the personal data
12. TECHNICAL AND ADMINISTRATIVE MEASURES FOR THE STORAGE AND DISPOSAL OF PERSONAL DATA
Within the scope of the regulations set out in this Policy, our company takes the necessary technical and administrative measures to ensure the secure and lawful storage of personal data, prevent unauthorized processing and access, avoid data breaches, and ensure the lawful disposal of personal data. According to Article 6/4 of Law No. 6698, the processing of special categories of personal data must comply with the adequate security measures determined by the KVK Board. Additionally, under Article 12, our company, as the data controller, implements the necessary technical and administrative measures in compliance with the KVK Board’s publicly announced security guidelines to ensure the security of personal data.
12.1. Technical Measures
The technical measures announced by the Personal Data Protection Authority (KVK Authority) on its official website (https://www.kvkk.gov.tr) are implemented by the company as the data controller. The necessary technical measures have been identified, and risk assessments have been conducted. As a result of on-site and real-time security analyses, potential risks and threats that may affect the continuity of the company’s IT systems have been identified and are continuously monitored. Our company has implemented security measures for IT infrastructure, software, and physical security of data. The technical measures taken are detailed below:
• Network security and application security are ensured.
• Security measures are implemented in the procurement, development, and maintenance of IT systems.
• Disciplinary regulations include provisions on data security for employees.
• Employees receive regular training and awareness programs on data security.
• An authorization matrix for employees has been established.
• Access logs are maintained regularly.
• Corporate policies on access, information security, data usage, storage, and disposal have been established and implemented.
• Confidentiality agreements are signed.
• Up-to-date antivirus systems are used.
• Firewalls are implemented.
• Signed contracts include data security provisions.
• Additional security measures are taken for personal data transferred in paper format, and relevant documents are sent in a confidential document format.
• Personal data security policies and procedures have been established.
• Personal data security issues are reported promptly.
• Personal data security is monitored.
• Necessary security measures are taken for access to physical environments containing personal data.
• Security measures are implemented to protect physical environments containing personal data from external risks (fire, flood, etc.).
• Security of environments containing personal data is ensured.
• Personal data is minimized whenever possible.
• Personal data is backed up, and the security of the backed-up data is also ensured.
• Internal periodic and/or random audits are conducted and enforced.
• Log records are kept in a way that prevents user intervention.
• Existing risks and threats have been identified.
• Protocols and procedures for the security of special categories of personal data have been established and are being implemented.
• If special categories of personal data are sent via email, they are encrypted and sent using a registered electronic mail (KEP) or corporate email account.
• Intrusion detection and prevention systems are in place.
• Cybersecurity measures have been implemented and are continuously monitored.
• Data encryption is applied.
• Periodic security audits of data processors providing services are conducted.
• Data processors are made aware of data security.
12.2. Administrative Measures
The necessary administrative measures have been implemented by the company as the data controller, in compliance with the administrative measures announced by the Personal Data Protection Board. In alignment with Law No. 6698 on the Protection of Personal Data, the company has made the necessary corporate decisions, started fulfilling its legal obligations, and published required policies. Accordingly:
• Personal data is processed based on the Personal Data Processing Inventory, as required by Article 5/1 of the Regulation, which mandates the inclusion of specified elements listed in the relevant legislation.
• A Personal Data Processing Inventory has been created by our company and is updated periodically.
• Privacy Notices and Information Texts have been prepared, and an Application Form has been drafted and implemented by the authorized company units.
13. EXPLANATION OF PERSONAL DATA DISPOSAL TECHNIQUES
As outlined in the policy and personal data processing inventory created by our company, personal data is disposed of at the end of the legally required retention period or when the purpose for which they were processed no longer exists. This process is carried out either automatically by the authorized company units or upon the request of the data subject, in compliance with Law No. 6698 and relevant regulations, using the following methods and techniques.
13.1. Deletion of Personal Data
• Personal Data Stored on Servers: Personal data stored on servers that exceed their required retention period is deleted by revoking access permissions of relevant users under the supervision of an authorized person.
• Personal Data Stored in Electronic Environments: Personal data stored in electronic environments that exceed their required retention period is made completely inaccessible and unusable for relevant users (excluding database administrators).
• Personal Data Stored in Physical Environments: Personal data stored in physical environments that exceed their required retention period is made completely inaccessible and unusable for employees other than the archive manager. Additionally, a redaction process is applied by crossing out, painting over, or erasing the information so that it cannot be read.
• Personal Data Stored on Portable Media: Personal data stored on flash-based storage devices that exceed their required retention period is encrypted and stored in secure environments, with access permissions granted only to the authorized individual by the responsible company unit.
13.2. Destruction of Personal Data
• Personal Data Stored in Physical Environments: Personal data stored in paper format that exceeds its required retention period is shredded or incinerated beyond recovery.
• Personal Data Stored on Optical and Magnetic Media: Personal data stored on optical and magnetic media that exceeds its required retention period is made unreadable with the assistance of technical support services from the IT department.
13.3. Anonymization of Personal Data
Anonymization of personal data refers to the process in which personal data is rendered unidentifiable and cannot be linked to a specific individual, even when matched with other data belonging to third parties.
To ensure personal data is truly anonymized, it must be processed in such a way that the data cannot be restored or linked to an identifiable individual by the data controller or any third parties, even through data matching or other technical methods relevant to the storage medium and processing activities.
14. PERSONAL DATA STORAGE AND DISPOSAL PERIODS
Within the scope of our company’s activities, the storage periods for all personal data processed as part of company operations are determined as follows: Personal data retention periods on a data basis are recorded in the Personal Data Processing Inventory. Data category-based storage periods are registered in VERBIS. Process-based retention periods are defined in the Personal Data Storage and Disposal Policy.
If the specified retention period expires or if no storage duration is prescribed in the relevant legislation, personal data is categorized into regular personal data and special categories of personal data in accordance with Article 6 of Law No. 6698 (KVKK). All special categories of personal data identified are disposed of. The method of disposal is determined based on the nature of the data and its significance to the company. In cases where the company does not have a legitimate purpose for retaining the data, or if storage violates the principles stated in Article 4 of KVKK, the data is deleted, destroyed, or anonymized. If the data falls within the exceptions outlined in Articles 5 and 6 of KVKK, an appropriate reasonable retention period is determined, after which the data is deleted, destroyed, or anonymized.
The Personal Data Contact Person is responsible for monitoring and updating storage periods when necessary. Personal data that has reached the end of its retention period is deleted, destroyed, or anonymized by the Personal Data Contact Person, based on their designated authority, duties, and responsibilities. The process-based personal data retention and disposal periods are provided in a table format in the appendix.
15. DATA CONTROLLER'S OBLIGATION TO INFORM
In accordance with Article 10 of KVKK, as a data controller, our company has implemented all necessary technical and administrative measures to: Prevent the unlawful processing of personal data, Prevent unauthorized access to personal data, Ensure the secure storage of personal data.
To this end, necessary policies and privacy notices have been prepared to cover the personal data of customers who purchase products or services, potential buyers of products or services, suppliers, service providers, legal entity representatives and employees, business partners, company shareholders, company employees, job applicants, intern applicants, interns, authorized public institutions and organizations, and representatives, employees, and related third parties of private legal entities
In accordance with the obligation to inform, the following information must be provided to data subjects, as stipulated in the law:
1. The identity of the data controller and, if applicable, its representative,
2. The purposes of processing personal data,
3. The recipients to whom processed personal data may be transferred and the purposes of such transfers,
4. The method and legal basis for collecting personal data,
5. The rights of data subjects under Article 11 of the KVKK (Law on the Protection of Personal Data No. 6698).
In compliance with Article 10 of Law No. 6698 (the "Law") and the Communiqué on the Procedures and Principles for Fulfilling the Obligation to Inform, separate privacy notices have been prepared for different categories of data subjects. The Privacy Notice prepared by our company in its capacity as the data controller can be obtained from our company upon request.
16. RIGHTS OF THE PERSONAL DATA SUBJECT (RIGHT TO APPLY)
Pursuant to Article 11 of Law No. 6698 on the Protection of Personal Data, which regulates the rights of data subjects, and the Communiqué on the Procedures and Principles for Applications to the Data Controller, our company, as the data controller, has prepared an Application Form. This Application Form can be obtained from our company upon request.
16.1. Right to Apply for the Personal Data Subject
According to Article 11 of the Law, any individual has the right to apply to the data controller and request:
1. To learn whether their personal data has been processed,
2. To request information if their personal data has been processed,
3. To learn the purpose of processing personal data and whether they are used in accordance with the intended purpose,
4. To know the third parties to whom personal data has been transferred, whether domestically or abroad,
5. To request the correction of incomplete or inaccurate personal data,
6. To request the deletion or destruction of personal data under the conditions specified in Article 7 of the KVKK,
7. To request notification of the correction, deletion, or destruction of personal data to third parties to whom the data has been transferred,
8. To object to a decision resulting in a negative outcome for them, which has been made solely through automated processing of their personal data,
9. To demand compensation if they suffer damage due to the unlawful processing of personal data.
16.2. Procedure, Timeframe, and Principles for the Data Controller's Response to Applications
Pursuant to Article 13/1 of Law No. 6698 on the Protection of Personal Data, applications regarding the exercise of the rights mentioned above must be submitted in writing or through the methods determined by the Personal Data Protection Authority (KVK Authority). Our company will conclude the application as soon as possible and within a maximum period of thirty (30) days, free of charge, depending on the nature of the request. However, if the process incurs an additional cost, the fee specified in the tariff set by the KVK Authority will be charged. If the application results from an error on the part of the data controller, any fee collected will be refunded to the applicant.
16.3. Right of the Data Subject to File a Complaint with the Authority
If an application is rejected, the response is deemed insufficient, or no response is provided within the specified time, the data subject may lodge a complaint with the KVK Board within thirty (30) days from the date they learned of the response or within sixty (60) days from the date of the application. Pursuant to Article 13 of the Law, the data subject must first exhaust the application process before submitting a complaint.
17. CASES WHERE THE DATA SUBJECT CANNOT EXERCISE THEIR RIGHTS (EXCEPTIONS)
Pursuant to Article 28/1 of Law No. 6698, the following cases are excluded from the scope of the law (exceptions), and data subjects cannot exercise the rights specified in Article 16 above:
• Processing of personal data by natural persons as part of activities related exclusively to themselves or their family members living in the same household, provided that such data is not disclosed to third parties and security obligations are fulfilled.
• Processing of personal data for official statistics or anonymization for research, planning, or statistical purposes.
• Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that such processing does not violate national security, public security, public order, economic security, privacy of private life, or personal rights, and does not constitute a criminal offense.
• Processing of personal data by public institutions and organizations authorized by law to maintain national defense, national security, public security, public order, or economic security, as part of preventive, protective, and intelligence activities.
• Processing of personal data by judicial authorities or enforcement agencies within the scope of investigations, prosecutions, trials, or execution of sentences.
Pursuant to Article 28/2 of Law No. 6698, provided that it is consistent with the purpose and fundamental principles of the law and remains proportionate, the following provisions shall not apply in the cases listed below: Article 10, which regulates the data controller's obligation to inform. Article 11, which regulates the rights of data subjects, except for the right to claim compensation for damages. Article 16, which regulates the obligation to register with the Data Controllers Registry. In these cases, the following exceptions apply:
• If processing personal data is necessary to prevent a crime or for a criminal investigation.
• If the personal data has been made public by the data subject themselves.
• Processing of personal data by authorized and competent public institutions and organizations or professional organizations with public institution status, based on the authority granted by law, for the purpose of conducting supervisory or regulatory duties, or carrying out disciplinary investigations or prosecutions.
• Processing of personal data for budgetary, tax, and financial matters, where necessary to protect the economic and financial interests of the State.
18. PERIODIC DISPOSAL AND AUDIT PERIOD FOR PERSONAL DATA
The timeframes for the deletion, destruction, or anonymization of personal data are regulated in Article 11 of the Regulation as follows: A data controller that has prepared a Personal Data Storage and Disposal Policy must delete, destroy, or anonymize personal data during the first periodic disposal process following the date on which the obligation to dispose of the personal data arises.
The frequency of periodic disposal is determined in the Personal Data Storage and Disposal Policy of the data controller, but in any case, it cannot exceed six (6) months. A data controller not required to prepare a Personal Data Storage and Disposal Policy must delete, destroy, or anonymize personal data within six (6) months from the date when the obligation to dispose of the data arises. Additionally, data protection units and the data controller will conduct regular audits at intervals not exceeding six (6) months. If a violation of the law is identified, or if an action results in irreparable harm, the Personal Data Protection Board may shorten the disposal periods specified in the Regulation.
19. TIMEFRAMES FOR DELETION AND DESTRUCTION OF PERSONAL DATA UPON REQUEST
The timeframes for deletion and destruction of personal data upon request by the data subject are regulated under Article 12 of the Regulation, as follows: If all conditions for processing personal data no longer exist, the data controller must delete, destroy, or anonymize the personal data related to the request. The data controller must respond to the data subject’s request within thirty (30) days and provide them with the necessary information. If the relevant personal data has been transferred to third parties, the data controller must notify the third party, ensuring that the necessary actions are taken under the Regulation. If the conditions for processing personal data still exist, the data controller may reject the request, providing a justification in accordance with Article 13(3) of the Law, and must notify the data subject in writing or electronically within thirty (30) days
20. PUBLICATION, STORAGE, AND UPDATING OF THE POLICY
This policy has been approved by the company representatives and entered into force as a printed document with a wet signature. The hard copy of the policy is stored in the KVK file by the Personal Data Contact Person. The policy is reviewed by the designated Personal Data Contact Person and updated as necessary at least once per year, at the end of each year, or when required.
21. ENFORCEMENT AND TERMINATION OF THE POLICY
This policy shall be deemed effective upon approval by the company representative. If a decision is made to repeal the policy with the approval of the data controller and the decision of the Personal Data Contact Person, all previous printed versions of the policy will be canceled by applying a cancellation stamp or marking them as canceled, and these documents will be stored at the company's headquarters for a minimum period of five (5) years under the custody of the Personal Data Contact Person.
NEXT PLASTİK KAUÇUK SANAYİ VE TİCARET A.Ş.
Address: İstiklal OSB 1 Mahallesi 3. Sk. No:1, Merkez, Düzce, Türkiye
Tax Office/Tax Number: İlyasbey Tax Office Directorate / 6311325194
Email: info@nextrubber.com - nextplastikas@hs01.kep.tr
Phone: +90 (380) 502 09 13