Alright, I will adapt the provided text for Masaf Plast and leave the specific company details (Title, Address, Chamber of Commerce Info, Tax Number, Website Address) empty for you to fill in. I will simply replace “Serinova” with “Masaf Plast” where appropriate.
Here are the adapted texts:
CLARIFICATION TEXT ON THE PROTECTION AND USE OF PERSONAL DATA
With this Clarification Text on the Protection and Use of Personal Data, we would like to inform and enlighten you about the principles of protection and use of your personal data within the framework of the Personal Data Protection Law No. 6698 [“KVKK”]. First of all, we would like to state that our Company attaches great importance to keeping the information of all individuals with whom we communicate, such as customers, suppliers, employees, workplace visitors, etc., confidential and not sharing this information with third parties.
During our activities carried out by our Company, our Company is considered the “Data Controller” within the framework of the legislation regarding the personal data we receive from you on any occasion. Our title and contact information as Data Controller are as follows:
Title: [MASAF PLAST OFFICIAL TITLE HERE]
Address: [MASAF PLAST ADDRESS HERE]
Chamber of Commerce Information: [MASAF PLAST CHAMBER OF COMMERCE INFO HERE]
Tax Number: [MASAF PLAST TAX NUMBER HERE]
All your personal data shared with our Company may be processed, stored, transferred to third parties domestically and abroad, updated, transferred, and processed in other ways listed in the KVKK, in accordance with KVKK regulations and the principles of this Clarification Text, in connection with our activities and within the framework of fulfilling our obligations to you and ensuring our communication with you.
Your personal data may be collected verbally, in writing, or electronically through, but not limited to; offer forms, contact forms, business cards, job application forms you fill out in printed or electronic form, contracts you have signed with our company, or emails, faxes, and letters you have sent to our company, and written or verbal communications made with our company, etc.
For Data Subjects to benefit most efficiently from the [MASAF PLAST WEBSITE ADDRESS HERE] website managed by our Company and to improve the user experience, Cookies are used based on the consent given upon entering the website. A cookie is a small text file stored on your device or network server by websites you visit through browsers.
What Are the Purposes of Processing Your Personal Data?
First, we would like to state that all your personal data shared with our Company will be processed lawfully and fairly, in connection with the processing purposes, limited and proportionate, accurately and up-to-date, and for specific, explicit, and legitimate purposes. Within the framework of this basic principle and based on your explicit consent, your personal data may be processed for purposes such as improving our communication with you, ensuring the fulfillment of our contracts, recording address and other necessary information for communication, organizing records and documents of transactions you have carried out, providing information about our commercial activities, increasing customer satisfaction, using for various marketing activities, informing about our services, fulfilling our legal obligations, fulfilling other obligations stipulated by legislation, congratulating you on official and religious holidays, and ensuring workplace security.
Which of Your Personal Data is Processed?
Within the framework of the purposes of processing your personal data, we process your name, surname, email address, phone number, gender, date of birth, Turkish ID number, tax ID number, invoice and delivery addresses, other information you have consented to share, and, without being limited to these, certain other data that directly or indirectly identifies you.
Is Your Personal Data Shared with Third Parties?
Your personal data used by our Company may be shared with our group companies for the fulfillment of our contractual relationships, and, without being limited to these, with our business partners, performance assistants, subcontractors, and other third parties with whom we collaborate (cargo, courier companies, etc. service providers) for the purpose of ensuring the fulfillment of our contracts. Additionally, it may be shared with official authorities and bodies for the fulfillment of our legal obligations. Your personal data will under no circumstances be shared with third parties for commercial purposes and/or transferred to third parties for such a purpose.
What Are Your Rights as a Personal Data Subject?
Within the framework of the KVKK and other relevant legislation, as a personal data subject, you have the following rights:
- To learn whether your personal data is being processed.
- To request information if your personal data has been processed.
- To learn the purpose of processing personal data and whether they are used in accordance with their purpose.
- To know the third parties to whom your personal data is transferred domestically or abroad.
- To request correction of your personal data if it is incomplete or incorrectly processed.
- To request the deletion or destruction of your personal data within the conditions stipulated in the KVKK legislation.
- To request that the correction of incomplete or incorrect data, and the deletion or destruction of your personal data, be notified to third parties to whom your personal data has been transferred.
- To object to the occurrence of an unfavorable outcome for you by analyzing the processed data exclusively through automated systems.
- To request compensation for damages if you suffer damage due to unlawful processing of your personal data.
In this context, you can send your requests regarding these rights by filling out the form on our website or by creating your own request in a way that meets the conditions determined by the Personal Data Protection Authority, to our email address or postal address provided below, using the methods determined by the Personal Data Protection Authority. Masaf Plast will finalize the request as soon as possible and within 30 (thirty) days at the latest, free of charge, depending on the nature of the request. If an additional cost arises for Masaf Plast to finalize the requests, Masaf Plast may request the fees determined by the tariff set by the Personal Data Protection Board.
Postal address: [MASAF PLAST ADDRESS HERE]
Email address: [MASAF PLAST EMAIL ADDRESS HERE]
You can always follow changes in personal data legislation and our practices on the relevant page of our website. In your applications regarding your requests, your requests must be written clearly and understandably, your requests must relate to you personally, and your identity, address information, and documents verifying your identity must be attached to your application.
How Long Is Your Personal Data Stored?
While your personal data is processed in accordance with the KVKK and other legal regulations, it is deleted, destroyed, or anonymized when the reasons for processing cease to exist or upon your request.
If there is explicit consent for a limited period, your personal data is deleted, destroyed, or anonymized at the end of the period. In the case of a contractual relationship, personal data is retained until the end of the statutory limitation periods.
In the presence of legal periods under labor law legislation, social security legislation, occupational safety legislation, tax legislation, customs legislation, etc., your personal data is deleted, destroyed, or anonymized after the end of the relevant legal periods.
Camera recordings at our company workplaces are deleted in 10-day periods.
Records created for entry and exit at our company are deleted, destroyed, or anonymized in 120-day periods.
In accordance with the Law on Regulation of Electronic Commerce No. 6563, records regarding the withdrawal of consent will be kept for 1 (one) year from that date, and all other records regarding the content of the commercial electronic message and the dispatch will be kept for 3 (three) years to be presented to the Ministry when necessary.
KVKK Application Form
Download
PERSONAL DATA STORAGE, PROCESSING, AND DESTRUCTION PROCEDURE
1. PURPOSE:
This procedure has been designed and issued to ensure that our employees keep all Personal Data (see definitions below) confidential that they obtain or become aware of during the performance of their duties, and that they comply with the Personal Data Protection Law No. 6698 (hereinafter referred to as “KVKK“) and secondary legislation derived from it, as well as the decisions taken by the Personal Data Protection Board.
2. SCOPE:
The scope of this procedure includes all personal data of our customers, potential customers, job applicants, company shareholders, company officials, visitors, employees, shareholders, and officials of institutions with which we collaborate, and other third parties processed by automatic means or by non-automatic means provided that they are part of a data recording system. Issues regarding the protection and processing of employees’ personal data are applied within the scope of the Personal Data Storage, Processing, and Destruction Procedure.
3. ABBREVIATIONS AND DEFINITIONS:
Personal Data: Any information relating to a Data Subject, such as name, address, phone number, email address, or similar identifying information.
Processing of Personal Data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, altering, re-arranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, wholly or partly by automatic means or by non-automatic means provided that they are part of any data recording system.
Personal Health Data: Any information relating to the physical and mental health of an identified or identifiable real person, and information regarding health services provided to the person.
Customers/Prospective Customers: Real persons whose personal data is obtained due to business relations within the scope of activities carried out by Masaf Plast, regardless of whether there is a contractual relationship.
Special Categories of Personal Data: Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
Third Parties: Other real persons, including but not limited to suppliers, victims, family members, etc., whose personal data is processed within the scope of this Procedure, even if not defined in the Procedure.
VERBİS: Data controllers (Masaf Plast) data registry information system.
Data Contact Person: The real person notified by the Masaf Plast Board of Directors to VERBİS during registration for communication with the Personal Data Protection Authority.
Data Processor: A real or legal person who processes personal data on behalf of the data controller based on the authority given by them.
Visitors: Real persons who have entered Masaf Plast’s physical facilities for various purposes or visited its websites.
4. REFERENCE DOCUMENTS:
- Personal Data Protection Law No. 6698
- Clarification Text on the Protection and Processing of Personal Data
5. APPLICATION DETAILS:
5.1 PERSONAL DATA STORAGE AND PROCESSING ACTIVITIES
During business activities, our employees collect, process, store, and destroy personal data using the procedures outlined in this procedure.
In this context, detailed explanations regarding storage and destruction are provided sequentially below.
5.1.1 Explanations Regarding Storage
In Article 3 of the KVKK, the concept of “processing personal data” is defined, and in Article 4, it is stated that processed personal data must be “connected to the purpose for which they are processed, limited and proportionate, and kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.” Articles 5 and 6 list the “conditions for processing personal data.”
Accordingly, personal data is stored within the framework of Masaf Plast’s business activities for the periods stipulated in the relevant legislation or for purposes appropriate to the processing purposes and for the periods specified in Article 5.8 of this procedure.
5.1.2 Legal Reasons Requiring Storage
Masaf Plast retains personal data processed within the framework of business activities in accordance with the periods stipulated in the relevant legislation. In this context, personal data is stored and processed in accordance with the following laws and, without being limited to them, secondary regulations in force and administrative regulations that Masaf Plast must comply with:
- Turkish Code of Obligations No. 6098
- Social Insurance and General Health Insurance Law No. 5510
- Law on Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications No. 5651
- Occupational Health and Safety Law No. 6361
- Disaster Insurance Law No. 6305
- Turkish Commercial Code No. 6102
- Labor Law No. 4857
- Highway Traffic Law No. 2918
- Law on Consumer Protection No. 6502
- Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes
5.1.3 Processing Purposes Requiring Storage
Personal data is stored for the purposes detailed in the Masaf Plast Personal Data Protection and Processing Regulation and listed below:
- Ensuring corporate communication.
- Ensuring institutional security.
- Performing statistical studies.
- Carrying out advertising and campaign processes.
- Sales and Marketing: Employees may collect, process, and transfer personal data about customers during order creation, invoice generation, customer complaints, and customer satisfaction processes within the scope of commercial activities with customers, under the conditions mentioned in this procedure.
- Managing Human Resources Processes: Employees may collect, process, and transfer personal data within the framework of existing laws, such as job applications, recruitment of Masaf Plast employees, salaries, fringe benefits and related matters, fulfillment of contractual and legal obligations for employees, planning of human resources processes, and conducting occupational health and safety activities.
- Suppliers: In case of a sole proprietorship to be collaborated with or from whom services will be obtained, the data of the authorized real person may be collected, processed, and transferred.
- Carrying out relevant processes within the scope of authorized service applications and authorized service contracts.
- Establishing contact with real/legal persons having business relations with Masaf Plast.
- Making legal reports.
- Burden of proof as evidence in future legal disputes.
5.1.4 Reasons Requiring Destruction
Personal data is deleted, destroyed, or anonymized by Masaf Plast, either ex officio (periodic destruction periods) or upon the request of the data subject, in accordance with the relevant legislative provisions, in the following cases:
- Changes or abolition of relevant legal provisions that form the basis for processing.
- Cessation of the purpose requiring processing or storage.
- In cases where personal data processing is based solely on explicit consent, withdrawal of the data subject’s explicit consent.
- Acceptance by Masaf Plast of the data subject’s application for deletion and destruction of their personal data in accordance with their rights under Article 11 of the Law.
- If Masaf Plast rejects the data subject’s application for deletion, destruction, or anonymization of their personal data, finds the response inadequate, or fails to respond within the period stipulated in the KVKK; if a complaint is filed with the Personal Data Protection Board and this request is approved by the Personal Data Protection Board.
- Expiry of the maximum period requiring the storage of personal data, and the absence of any condition justifying storing the personal data for a longer period.
5.2 RECORDING ENVIRONMENTS
Personal data is stored securely and lawfully by Masaf Plast in the environments listed in Table 1.
Table 1: Personal Data Storage Environments
| Electronic Environments | Non-Electronic Environments |
| 1. Software | (1) Manual data recording environments |
| – Server | (a) Forms |
| – Netsis | (b) Documents |
| 2. Firewall: Draytek Security Firewall | (c) Visitor logbook |
| 3. Antivirus: AVG business | |
| 4. Personal computers | |
| 5. Mobile phones | |
| 6. Tablets | |
| 7. Optical disks | |
| 8. Camera recording systems | |
| 9. Audio recording systems | |
| 10. Printers | |
| 11. Photocopiers |
5.3 PERSONAL DATA PROCESSING CONDITIONS
For personal data to be processed and used in accordance with this procedure and the Masaf Plast Personal Data Protection and Processing Regulation, the Data Subject must be enlightened about the processing activities, permission must be sought for personal data processing, and the explicit consent of the Data Subject must be obtained.
For this purpose, our employees should work according to approved forms, contracts, and explicit consent texts.
However, the condition of obtaining explicit consent from the Data Subject should not be applied if one of the following exceptions applies:
- If processing Personal Data is necessary for the performance and implementation of a contract to which the Data Subject is a party, or to take necessary steps at the Data Subject’s request before entering into a contract.
- If processing Personal Data is necessary to comply with a legal obligation.
- If processing Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
- If general public information, interpretive information, and/or statistical data and information are processed.
5.3.1 Masaf Plast’s Obligation to Inform as Data Controller
Even if it is not always necessary to obtain explicit consent from the Data Subject for the processing of Personal Data as mentioned in Article 5.5 of this procedure, Masaf Plast always has the obligation to inform Data Subjects about the following:
- The identity of the Data Controller and their representative, if any.
- The purpose for which personal data will be processed.
- To whom and for what purpose processed personal data may be transferred.
- The method and legal reason for collecting personal data.
- Other rights of the Data Subject listed in Article 5.5 of this procedure.
Masaf Plast informs data subjects during the acquisition of personal data. In this context, it has published a Clarification Text on its website. Masaf Plast may occasionally need the personal data of its suppliers for the purpose of carrying out business processes and ensuring communication. In this case, it is possible for the relevant Masaf Plast officials to send a “Supplier Explicit Consent and Clarification Text Agreement” to ensure the fulfillment of Masaf Plast’s clarification obligation towards the said supplier.
5.3.2 Rules to Be Followed in the Processing of Special Categories of Personal Data:
Unless necessary for the exercise of certain rights or the fulfillment of certain obligations arising from labor laws and legislation, and except for situations where permission and authority are granted by other applicable legislation, including this procedure, explicit permission and consent of the data subject must always be obtained before processing Special Categories of Personal Data.
5.3.3 Rules to Be Followed in the Processing of Personal Data of Employees and Job Applicants
For the processing of Personal Data, including Special Categories of Personal Data belonging to employees, in accordance with the Labor Law and other relevant legislation or for other purposes determined by Masaf Plast, the obligation to inform and obtain explicit consent must be fulfilled by having current Masaf Plast employees sign the “KVKK Personnel Information and Consent Form.”
For persons who are not currently Masaf Plast employees but whose recruitment process will be successfully completed, the obligation to inform can be fulfilled by adding the “Personal Data Protection Clause to Be Added to the Employment Contract” to the employment contract to be signed by the relevant person and signing the employment contract in this form.
5.3.4 Principles to Be Followed in the Processing and Use of Customers’ Personal Data for Marketing Purposes
For the collection and processing of customers’ personal data for direct or indirect marketing purposes, explicit consent of the data subject customer must be obtained before the personal data is collected. Furthermore, the possibility for Data Subjects to withdraw their consent for commercial communication must be provided both during the consent acquisition and in every communication.
5.3.5 Specific Points Employees Processing Personal Data Due to Their Duties Are Expected to Observe
When processing Personal Data on behalf of Masaf Plast as a requirement of their duties and during their duties, our employees are expected to observe the following points in addition to the matters contained in this procedure:
- Personal Data must be processed in accordance with Data Protection Legislation, by legitimate means, and fairly.
- Personal Data must be processed only for permitted and declared legal purposes.
- Data must never be processed and stored for a purpose that is not disclosed to the Data Subject or is not legitimate.
- Personal Data must be sufficient for the purpose of processing, related and connected to this purpose, and not excessive in quantity or number compared to the processing purpose.
- Personal Data must be accurate and truthful and updated when necessary.
- Personal Data processed and used for any purpose must not be kept or stored for a period longer than necessary for that purpose.
5.3.6 Rules to Be Followed by Employees Processing Special Categories of Personal Data Due to Their Duties
Employees processing Special Categories of Personal Data on behalf of Masaf Plast as a requirement of their duties and during their duties, in addition to observing the other articles of this procedure and the matters mentioned in Article 5.3.6, must sign a Confidentiality Agreement in accordance with KVKK legislation.
5.3.7 Rules to Be Followed When Transferring and Assigning Personal Data
Our employees will not transfer data to any third party except under the conditions specified in this procedure.
5.4 TECHNICAL AND ADMINISTRATIVE MEASURES
Masaf Plast takes technical and administrative measures within the framework of sufficient precautions in accordance with the Personal Data Protection Law for the secure storage of personal data, prevention of unlawful processing and access, and lawful destruction of personal data.
5.4.1 Technical Measures
The technical measures taken by Masaf Plast regarding the personal data being processed are listed below:
- Network security and application security are ensured.
- Closed system networks are used for personal data transfers via the network.
- Security measures are taken within the scope of information technology systems procurement, development, and maintenance.
- Access logs are regularly maintained.
- Up-to-date antivirus systems are used.
- Firewalls are used.
- User account management and authorization control systems are implemented and monitored.
- Log records are kept in a way that prevents user intervention.
- Existing risks and threats have been identified.
- Intrusion detection and prevention systems are used.
- Cybersecurity measures have been taken and their implementation is continuously monitored.
- Special categories of personal data transferred from portable memory, CD, and DVD media are transferred encrypted.
- Awareness of data security is ensured for data processing service providers.
- Data loss prevention software is used.
5.4.2 Administrative Measures
The administrative measures taken by Masaf Plast regarding the personal data being processed are listed below:
- Disciplinary regulations containing data security provisions exist for employees.
- Regular training and awareness activities on data security are conducted for employees.
- An authorization matrix has been created for employees.
- Confidentiality agreements are made.
- Authorities in this area are removed for employees who change positions or leave employment.
- Signed contracts contain data security provisions.
- Personal data security policies and procedures have been determined.
- The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
- The security of environments containing personal data is ensured.
- Personal data is minimized as much as possible.
- Personal data is backed up, and the security of backed-up personal data is also ensured.
- Internal periodic and/or random audits are conducted and commissioned.
- Existing risks and threats have been identified.
- Protocols and procedures for special categories of personal data security have been determined and implemented.
- If special categories of personal data are to be sent via email, they are always sent encrypted and using KEP (Registered Electronic Mail) or a corporate email account.
- Awareness of data security is ensured for data processing service providers.
5.5 RIGHTS OF DATA SUBJECTS
Data subjects whose personal data is processed by Masaf Plast can apply to Masaf Plast and request information about themselves regarding:
- Whether their personal data is processed.
- If their personal data has been processed, to request information about it.
- The purpose of processing personal data and whether they are used in accordance with their purpose.
- Knowing the third parties to whom personal data is transferred domestically or abroad.
- Requesting correction of personal data if it is incomplete or incorrectly processed.
- Requesting the deletion or destruction of personal data within the conditions stipulated in the Data Protection Legislation.
- Requesting that transactions made regarding personal data be notified to third parties to whom personal data has been transferred.
- Objecting to the occurrence of an unfavorable outcome for the person by analyzing the processed data exclusively through automated systems.
- Requesting compensation for damages if they suffer damage due to unlawful processing of personal data.
In cases where Personal Data is collected directly as part of marketing efforts, the Data Subject has the right to object to their Personal Data being given to third parties or used for marketing purposes, or to request to be informed before their Personal Data is given to third parties or used for marketing purposes.
5.6 SECURITY CONDITIONS
Masaf Plast employees take all reasonable security measures, including the following, to protect Personal Data against the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access (Security Incident):
- Limiting access to Personal Data only to employees who are strictly required to access this information during the performance of their duties.
- Using password-protected electronic files, where appropriate.
- Organizing files containing Personal Data regularly and restricting physical access to these files as necessary and appropriate.
- Immediately notifying their superior if they become aware of events or situations such as unauthorized access to Personal Data or improper use of Personal Data.
- Obtaining explicit consent from the relevant Data Subject and fulfilling the obligation to inform regarding the processing subject before using Personal Data for a purpose other than the initial stated purpose.
- Security measures taken to protect Personal Data are periodically audited. This determines whether additional security measures or procedures are needed for personal data protection.
5.7 PERSONAL DATA DESTRUCTION TECHNIQUES
At the end of the period stipulated in the relevant legislation or the storage period necessary for the purpose for which they were processed, personal data is destroyed by Masaf Plast, either ex officio (periodic destruction periods) or upon the request of the data subject, in accordance with the relevant legislative provisions, using the techniques specified below.
Deletion of Personal Data
Personal data is deleted using the methods provided in Table 2.
Table 2: Deletion of Personal Data
| Data Recording Environment | Description |
| Personal Data on Servers | For personal data on servers whose retention period has expired, the deletion process is carried out by the system administrator by revoking the access rights of the relevant users. |
| Personal Data in Electronic Environment | Personal data in electronic environments whose retention period has expired are made inaccessible and unusable in any way for employees other than the database administrator (relevant users). |
| Personal Data in Physical Environment | For personal data kept in a physical environment whose retention period has expired, they are made inaccessible and unusable in any way for employees other than the responsible unit manager. In addition, blackening is applied by crossing out/painting/erasing the data in an unreadable manner. |
| Personal Data on Portable Media | For personal data kept on flash-based storage media whose retention period has expired, they are encrypted by the system administrator and stored in secure environments with encryption keys, with access rights granted only to the system administrator. |
Destruction of Personal Data
Table 3: Destruction of Personal Data
| Physical Environment Personal Data | Personal data on paper whose retention period has expired are destroyed irreversibly in paper shredders. |
| Optical / Magnetic Media Personal Data | For personal data on optical media and magnetic media whose retention period has expired, physical destruction such as melting, burning, or pulverizing is applied. In addition, data on magnetic media is made unreadable by passing it through a special device and exposing it to a high magnetic field. |
Anonymization of Personal Data
Anonymization of personal data means rendering personal data incapable of being associated with an identified or identifiable real person, even by matching it with other data. For personal data to be anonymized, the personal data must be rendered incapable of being associated with an identified or identifiable real person by the data controller or third parties, even through the use of appropriate techniques, such as reversing and/or matching the data with other data, considering the recording environment and the relevant area of activity.
5.8 STORAGE AND DESTRUCTION PERIODS BY DATA TYPES
Department managers are responsible for retaining the data specified in the table below for the relevant retention periods.
The Masaf Plast periodic destruction period for which department managers are responsible for monitoring has been determined as 1 year. Department managers are responsible and authorized to ensure that destructions are carried out in accordance with these periods and to make necessary reminders regarding the destruction of personal data whose retention period has expired.
Table 4: Personal Data Storage and Destruction Periods
| DATA TYPE | RETENTION PERIOD | DESTRUCTION PERIOD |
| Emails and internal correspondence | 10 years | First period after the end of the retention period |
| Contracts | 10 years following the termination of the contract | First period after the end of the retention period |
| Customer Records | 10 years following the last interaction with the customer | First period after the end of the retention period |
| Employee Records | Throughout their employment | First period after the end of the retention period |
| Former Employee Records | 10 years following their departure from employment | First period after the end of the retention period |
| Job Applicant Records | 2 years following the application | First period after the end of the retention period |
| Accounting and Financial Records | 5 years | First period after the end of the retention period |
| Internal Complaints and Related Documents | 10 years | First period after the end of the retention period |
| Legal Records | 10 years | First period after the end of the retention period |
Please let me know if you need any other specific adjustments or additions to these documents!
