KVKK Policy

METRO MATBAACILIK SAN. VE TİC. LTD. ŞTİ. CORPORATE PERSONAL DATA PROTECTION POLICY

 

 

Document Information

Document Name:

Personal Data Protection Policy

Document Purpose:

The purpose of this Policy is to establish the principles and procedures for planning and implementing personal data protection processes by Metro Matbaacılık San. ve Tic. Ltd. Şti.

Publication Date:

23.01.2023

Version No:

1

Reference / Basis:

Law No. 6698 on the Protection of Personal Data and other relevant legislation.

Approval Authority:

Board of Directors of Metro Matbaacılık San. ve Tic. Ltd. Şti.


 

 

 

 

METRO MATBAACILIK SAN. VE TİC. LTD. ŞTİ.

 

CORPORATE PERSONAL DATA PROTECTION POLICY

 

1. PURPOSE

The right to demand the protection of personal data is a fundamental right derived from the Constitution. As Metro Matbaacılık San. ve Tic. Ltd. Şti., we consider fulfilling the requirements of this right one of our most valuable duties. Therefore, we prioritize the lawful processing and protection of your personal data.

This Corporate Personal Data Protection Policy has been prepared to define the principles and procedures we adhere to when processing and protecting personal data, reflecting the importance we place on data protection.

 

2. SCOPE

 

The Policy covers all personal data managed by Metro Matbaacılık, including but not limited to data obtained, recorded, stored, modified, reorganized, disclosed, transferred, acquired, classified, or blocked—whether fully or partially automated or non-automated as part of a data recording system.

 

The Policy applies to all processed personal data of Metro Matbaacılık’s partners, authorized persons, customers, employees, supplier representatives, employees, and third parties.

 

Metro Matbaacılık may amend the Policy to comply with legislation, decisions of the Personal Data Protection Authority, or to enhance data protection.

 

3. DEFINITIONS

 

Abbreviation

Definition

 

 

Recipient Group

 

The category of natural or legal persons to whom personal data is transferred by the data controller.

 

Explicit Consent

 

Consent that is freely given, specific, informed, and based on a clear affirmative action.

 

Anonymization

 

Rendering personal data impossible to associate with an identified or identifiable natural person, even when matched with other data.

Data Subject

 

The natural person whose personal data is processed.

 

 

Relevant User

Persons who process personal data within the data controller’s organization or under its authorization, excluding those responsible for technical storage, protection, or backup.

Destruction

Deletion, destruction, or anonymization of personal data.

Law/KVKK

Law No. 6698 on the Protection of Personal Data.

 

Recording Medium

 

Any medium containing personal data processed fully/partially automatically or non-automatically as part of a data recording system.

Personal Data

Any information relating to an identified or identifiable natural person.

 

 

 

 

 

Data Inventory

 

An inventory detailing data controllers’ processing activities, purposes, legal grounds, data categories, recipient groups, retention periods, cross-border transfers, and security measures.

 

 

 

 

 

 

Processing of Personal Data

Any operation performed on personal data (e.g., collection, recording, storage, modification, disclosure, transfer).

Board

Personal Data Protection Board.

Authority

Personal Data Protection Authority.

 

Special Categories of Personal Data

Data relating to race, ethnicity, political opinion, religion, health, sexual life, criminal record, biometric/genetic data, etc.

 

 

Periodic Destruction

Automatic deletion, destruction, or anonymization of personal data when processing conditions under the Law no longer apply.

 

Policy

 

Personal Data Protection Policy.

 

Data Processor

Natural/legal persons processing personal data on behalf of the data controller.

 

 

Data Controller

 

The natural/legal person determining the purposes and means of processing personal data.

 

  1. GENERAL PRINCIPLES

Metro Matbaacılık audits the compliance of all new workflows involving personal data processing with the following principles. Non-compliant workflows are not implemented.

Metro Matbaacılık ensures personal data is processed:

 

  • Lawfully and fairly,

 

  • Accurately and kept up-to-date when necessary,
  • For specified, explicit, and legitimate purposes,
  • In a relevant, limited, and proportionate manner,
  • Retained only for the period required by law or the processing purpose, and destroyed thereafter.

 

5. DATA SECURITY MEASURES

 

Metro Matbaacılık takes all necessary technical and administrative measures to (i) prevent unlawful processing, (ii) block unauthorized access, and (iii) safeguard personal data.

 

5.1. Technical Measures

 

  • Security measures for IT systems (procurement, development, maintenance).

 

  • Up-to-date antivirus systems.

 

  • Firewalls.

 

  • Access controls for physical environments containing personal data.

 

  • Protection of physical environments against external risks (fire, flood).

 

  • Secure storage of personal data.

 

  • Regular backups and backup security.

 

  • User account management and authorization controls.

 

 

  • Encryption.

 

5.2. Administrative Measures

  • Disciplinary regulations for employees on data security.

 

  • Regular employee training and awareness programs.

 

  • Corporate policies on access, security, usage, retention, and destruction.

 

  • Confidentiality agreements.

 

  • Revocation of access for transferred or departing employees.

 

  • Data security clauses in contracts.

 

  • Data security policies and procedures.

 

  • Prompt reporting of security incidents.

 

  • Monitoring of data security.

 

  • Data minimization.

 

  • Risk and threat assessments.

 

  • Protocols for special categories of personal data.

 

  • Encrypted email transmission for special categories (via KEP or corporate accounts).

 

  • Awareness programs for data processors.

 

6. RIGHTS OF DATA SUBJECTS

 

Data subjects may request the following from Metro Matbaacılık:

  • Learn whether their data is processed,
  • Request information if processed,

 

  • Learn the purpose and lawful use of processing,
  • Identify third parties receiving their data (domestic/abroad),
  • Request correction of inaccurate/incomplete data and notify third parties,
  • Request deletion, destruction, or anonymization when processing grounds cease, and notify third parties,
  • Object to automated processing resulting in adverse consequences,
  • Claim compensation for damages due to unlawful processing.

 

7. BREACH NOTIFICATIONS

 

Employees must report suspected violations of the Law or Policy to the Board of Directors. If necessary, the Board convenes to create an action plan.

If a breach involves unlawful acquisition of personal data, the Board notifies the affected party and the Authority within 72 hours per Decision No. 2019/10 dated 24.01.2019.

 

8. AMENDMENTS

 

Proposed amendments require Board approval. Updated Policies are communicated via email or published on the website.

 

9. EFFECTIVE DATE

 

This version of the Policy was approved by the Board of Directors and entered into force on 23.01.2023.

    Tüm Ekip
    Polifarma
    Onko
    Nobel
    Menarini
    Humanis
    Helba
    Eczacıbaşı
    Biofarma
    Bilim
    Abdi İbrahim