Privacy Policy
1. OBJECTIVE
Every individual has a sacred right, guaranteed by the Constitution, to have their personal data protected.
Çamsar Integrated Forest Products Industry, Trade and Marketing Inc. considers fulfilling the requirements of this right as one of its most valuable duties. Therefore, it attaches importance to the lawful processing and protection of personal data.
As a result of this importance, the Corporate Personal Data Protection Policy has been prepared to define the principles and procedures followed when processing and protecting personal data.
2. SCOPE
Policy;
- All personal data managed by the company,
- It encompasses all operations that are obtained, recorded, stored, maintained, disclosed, transmitted, etc., through automated or non-automated means as part of a data recording system.
- This includes all personal data, including that of partners, officers, customers, employees, suppliers, and third parties.
The company may update this policy to comply with legislation and decisions of the Personal Data Protection Authority.
3. DEFINITIONS
| Abbreviation | Definition |
|---|---|
| Buyer Group | Category of natural/legal persons to whom personal data is transferred |
| Explicit Consent | Informed and freely given consent. |
| Anonymization | The situation where personal data cannot be linked to a natural person in any way. |
| Contact Person | The natural person whose personal data is processed |
| Relevant User | Data processors other than technical personnel |
| Destruction | Deleting, destroying, or anonymizing |
| Personal Data Protection Law (KVKK) | Law No. 6698 on the Protection of Personal Data |
| Recording Medium | The environment where personal data is located |
| Personal Data | Information relating to a specific or identifiable natural person |
| Data Inventory | A system that documents the processes in which personal data is processed. |
| Processing of Personal Data | Operations such as collecting, saving, storing, modifying, describing, etc. |
| Commission | Internal commission managing GDPR processes |
| Board | Personal Data Protection Board |
| Organisation | Personal Data Protection Authority |
| Special Category Personal Data | Race, health, sexual life, etc. private data |
| Periodic Destruction | Data destruction performed at regular intervals. |
| Policy | Personal Data Protection Policy |
| Data Processor | Data processor acting on behalf of the data controller |
| Data Controller | The natural/legal person who determines the purpose of data processing. |
4. GENERAL PRINCIPLES
When processing personal data, Çamsar Entegre:
- He acts in accordance with the law and the rules of honesty.
- It ensures that the data is accurate and up-to-date.
- It operates for specific, clear, and legitimate purposes.
- Work is limited and proportionate to the purpose of processing.
- It only retains the data for the necessary period and then destroys it.
5. DUTIES AND RESPONSIBILITIES
Personal Data Protection Commission:
- It consists of the General Manager, the Human Resources Manager, and the Administrative and Financial Affairs Chief.
- It convenes every six months or in extraordinary sessions as needed.
- It enables the development of policy.
- It identifies risks and takes precautions.
- It updates the data inventory.
- In case of a violation, they contact the Authority.
6. MEASURES TAKEN FOR DATA SECURITY
6.1 Technical Measures
- Network and application security
- Maintaining access logs
- Using antivirus and firewall
- Security in physical environments
- Encryption and authorization controls
- Intrusion detection systems
6.2 Administrative Measures
- Disciplinary regulations
- Awareness trainings
- Privacy agreements
- Authorization matrix and removal of access after job change.
- Internal audits and risk assessments
- Using encrypted email for sensitive data.
- Raising awareness among service providers.
7. RIGHTS OF THE DATA SUBJECT
The person concerned has the following rights:
- To find out if your data is being processed.
- Request information if it has been processed.
- To find out if it is being processed for its intended purpose.
- To find out who the data was transferred to.
- Requesting correction of incomplete/incorrectly processed data.
- Requesting the deletion or destruction of data.
- Object to automated analyses.
- Claim compensation if damage has occurred.
8. VIOLATION REPORTS
Employees report any violations to the Commission.
If the breach takes the form of a data leak, it must be reported to the Board within 72 hours.
9. CHANGES
Policy changes are prepared by the Commission and enter into force upon approval by the Board of Directors.
Updates will be shared via email or website.
10. EFFECTIVE DATE
This version of the policy came into effect on April 16, 2020.
