1. INTRODUCTION

1.1. The Scope and the Purpose of the Policy

The Law on the Protection of Personal Data, No: 6698(Law and/or “KVKK”) has entered into force on 07/04/2016; and, while ensuring compliance with the Law and while rocessing the personal data of the employees of Bonna Porselen Sanayı Ve Tıcaret Lımıted Sırketı  (“Company“), hereby this Policy on the Processing and the Protection of Personal Data of Employees/ Candidates/ Interns (“Policy”) is intended to determine the principles to be followed in ensuring compliance with in fulfilling the obligations regarding the protection and processing of personal data by Company.

The policy determines the processing conditions of personal data and sets out the main principles adopted by the Company in the processing of personal data. In this context, the Policy covers all of the processed personal data activities and of the Employees/Candidates/ Interns processing a within the context of the Law and all of the personal data processed by the Company.

Definitions related to the terms used in this policy are available in ANNEX-1.

1.2. Effectiveness and Amendment

This Policy has been published on https://bonna.com.tr/ and submitted for the information of the concerned. Company reserves the right to change the policy in accordance with legal regulations. In case of conflict between the law and the provisions of the policy, the provisions of the current legislation will be applied.

2. DATA SUBJECTS, PURPOSES OF PROCESSING DATA AND DATA CATEGORIES WITHIN THE CONTEXT OF THE POLICY

2.1. Data Subjects Within the Context of the Policy

Data subject within the scope of the policy, whose personal data are processed by Company are employees / candidates / ınterns of the Company.

2.2. The Purposes of Processing Personal Data

2.2.1. General Purposes in relation to the Processing of the Personal Data of Employees/Candidates/Interns

The personal data and the special personal data can be processed by Company in according to the personal data processing conditions for the following purposes:

MAIN PURPOSESSECONDARY PURPOSES
Carrying out the necessary works by our business units to make the related persons used of the services provided by the Company and conducting such business processes
  1. Requests and Complaints
  2. Contract Processes and Legal Requests
Ensuring the legal, technical and commercial-occupational safety of the company and the persons in business relationship with the Company
  1. Planning and Execution of Operational Activities that are Required to Ensure that Company Activities are Conducted in Compliance with Company Procedures and Relevant Legislation
  2. Planning and Execution of Occupational Health and Safety Processes
  3. Ensuring Data Is Correct and Updated
  4. Giving Information to Authorized Institutions Based on Legislation
  5. Ensuring the Safety of the Company, Campus and Facilities
  6. Visitors enrolment and audity
  7. Ensuring the Security of Company Operations
  8. Ensuring the Security of Company Fixtures and Resources
  9. Legal Affairs 
  10. Planning and Execution of Company Audit Activities
Planning and executing the company’s human resources policies and processes
  1. Fulfillment of Employment Contract and the Obligations in accordance with Legislation for Employees
  2. Employees / candidates / ınterns
  3. Business activities and audit
  4. Planning of Human Resources Processes 
  5. Planning and implementation of In-Company Appointment-Promotion and Dismissal Processes
  6. Authority to access information of employees / candidates / ınterns
  7. Corporate Communications for Employees / Prospective Employees / Trainees and Planning and Execution of Corporate Social Responsibility and Non-Governmental Organizations Activities Employed by Employees
  8. Talent- Career Development Activities
  9. Performance Evaluation Processes
  10. Planing side benefits and advantages for Employees / Prospective Employees / Trainees
  11. Planning of employee termination procedures
  12. Planning the Processes for Getting and Evaluating Employees’ Suggestions for Improving the Company Processes
  13. Compensation Management
  14. Satisfaction and loyalty process of Employees / Prospective Employees / Trainees
Performing the necessary works by our relevant business units in order to carry out the activities conducted by the Company, and  and conducting business processes related to those
  1. Planning of business activities
  2. Planning of corporate communication activities
  3. Finance and accounting affairs
  4. Planning and Execution of Occupational Health and Safety Processes
  5. Activity management
  6. Planning and Control of Information Security Processes
  7. Creation and Management of Information Technologies Infrastructure
  8. Planning Corporate Governance Activities
  9. Planning Research and Development Activities
Planning and execution of the company’s operational, commercial and business strategies
  1. Planing the External Activities
  2. Management of Relations with Business Partners and Suppliers
  3. Execution of strategic planning activities
  4. Planning of distance education center’s activities
Activities required by the company to recommend and promote its programs and services
  1. Planning and Execution of Company Programs and Services
  2. Planing the Satisfaction Survey of Company
  3. Marketing processes of programs and services
2.2.2. Activities Carried Out Regarding the Processing of Personal Data of Employees
    • Compnay’ s personal data processing activities within the framework of her business relationship with employees are given below.
    • Within the framework of communication, of e-mail and of internet traffic monitoring activities, all data related to phone conversations (not the content of the conversation, but only the duration of which number has been spoken), e-mail contents and the date of sending, and, all internet traffic information due to the Law No: 5651 (Law on Arrangement of Internet Publications and Combating Crimes Committed Through These Publications) regarding the internet access provided in Company facilities and campuses, could be monitored/traced/tracked by Company and might be processed by her when necessary. It is forbidden to use communication, e-mail and internet services for private purposes outside of work, which are allocated to her employees by Company.
    • Personal data regarding employees can be processed within the framework of the disciplinary activities and the activities on tackling with irregularities while it is possible to process various personal data of the employees and disciplinary proceedings initiated to reveal irregular processes, also, regarding all data that could be collected from inside or outside of Company, all kinds of data processing activities, such as comparison, could be carried out. 
    • Some parts of Company campus can be monitored by security cameras and images can be processed for the purposes specified in the Policy on the Employees of Bonna Porselen Sanayı Ve Tıcaret Lımıted Sırketı.
    • The computers -allocated by Company- can be tracked and your personal data in electronic devices can be processed. It is forbidden to use these electronic devices for private purposes outside of work and to store private personal data outside of these devices outside of work.
    • The It may be the case for processing personal data for the purpose of planning the interests and side benefits of the employees, for example, providing health insurance to the employees. In case of transferring data to third parties within the scope of planning the benefits and benefits to the facility, careful attention is paid to limited transfer for the purpose. In the event that the data transferred are the personal data of special nature, additional measures are taken by Company.
  • The health data of employees are tried to be processed in the narrowest possible scope. As a rule, access to health data could only be carried out by authorized employees, if necessary. In cases where health data needs to be processed, information is given to the persons authorized to perform this processing to understand the sensitivity of this data and to take the necessary importance.

3. Personal Data Categories

Within the scope of personal data processing activities of employees carried out by Company; she processes the personal data categorized below based on one and / or more than one of the personal data processing conditions specified in Articles 5 and 6 of KVKK.

CATEGORIZATION OF PERSONAL DATAEXPLANATION
IdentityAll information regarding the identity of the person in documents such as driver’s license, identity card, passport, attorney ID, marriage certificate
Contact InformationInformation to contact the data subject such as phone number, residence, address, e-mail
Information of Family Members and Relatives of the Data SubjectInformation about the products and services we offer or about the family members and relatives of the personal data owner processed to protect the legal interests of the Company and the data subject.
Physical Space Security InformationPersonal data about the records and documents such as camera records, fingerprint records taken during the stay in the physical space at the entrance to the physical space
Process Security InformationYour personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities
Financial InformationThe personal data processed regarding the information, documents and records showing all kinds of financial results created according to the type of legal relationship established with the personal data owner of our company.
Personnel InformationThe personal data processed regarding the information, documents and records showing all kinds of financial results created according to the type of legal relationship established with the personal data owner of our company.
Employee Transaction InformationPersonal data processed for all kinds of work done by our employees or real persons who have a working relationship with our Company
Employee Performance and Career Development InformationPersonal data processed for the purpose of measuring and evaluating the performance of our employees or real persons who have a working relationship with our Company and planning and executing career developments within the scope of our Company’s human resources policy.
Side Benefits and Advantages InformationPlanning of the benefits and side benefits we offer and will offer to our employees or other real persons who have a business relationship with our Company, personal data processed to determine objective criteria for entitlement to them and to follow up on entitlement to them,
Legal Transaction and Compliance InformationPersonal data processed within the scope of determination of legal receivables and rights, follow-up and performance of our debts, and compliance with our legal obligations and our Company’s policies
Audit and Inspection InformationPersonal data processed within the scope of our company’s legal obligations and compliance with Company policies
Personal Data of Special NaturePersonal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature.
Request / Complaint Management InformationPersonal data regarding the receipt and evaluation of any requests or complaints addressed to our company
Reputation Management InformationInformation collected for the purpose of protecting the commercial reputation of our company and information related to the evaluation reports and actions
Incident Management InformationPersonal data processed in order to take necessary legal, technical and administrative measures against events that emerged to protect the commercial rights and interests of our company.

4. PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA

4.1. Principles on the Processing of Personal Data

The personal data is processed in accordance with the personal data processing principles in Article 4 of  KVKK by Company 

 It is imperative to comply with these principles for each personal data processing activity.

  • Lawfulness and conformity with rules of bona fides.
  • Accuracy and being up to date, where necessary.
  • Being processed for specific, explicit and legitimate purposes
  • Being relevant with, limited to and proportionate to the purposes for which they are processed.
  • Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.

4.2. Conditions of the Processing of Personal Data

Accordingly, the basis of the personal data processing activity might be only one of the conditions mentioned beloved, and more than one of these conditions might be the basis of the same personal data processing activity.

    • Having the Explicit Consent of the Data Subject, The primary condition for processing of the personal data is the explicit consent of of the data subject. The explicit consent of the data subject has to be given freely, specific and informed consent.
    • It Must Clearly Provided For By The Laws, Personal data of the data subject may be processed in accordance with the law without seeking the explicit consent of the data subject in cases where they are clearly provided for by the Laws.
    •  Where it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his / her consent or whose consent is not deemed legally valid, Personal Data of the data subject might be processed in cases where it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his / her consent or whose consent is not deemed legally valid.
    • Direct relation with the conclusion or fulfilment of the contract, Personal Data of the data subject might be processed in cases where processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of contract
  • Legal Obligation, Personal Data of the data subject might be processed in cases where it is mandatory for the controller to be able to perform our Company’s legal obligations
  • Making the data available to the public by the data subject himself / herself, Within the boundaries of making the personal data available to the public, personal Data of the data subject might be processed in cases where the data concerned is made available to the public by the data subject himself 
  • Where data processing is mandatory for the establishment, exercise or protection of any right, Personal Data of the data subject might be processed in cases where data processing is mandatory for the establishment, exercise or protection of any right.
  • Where data processing is mandatory for the legitimate interests of our Company, Personal Data of the data subject might be processed in cases where it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

5. CONDITIONS ON THE PROCESSING OF PERSONAL DATA OF SPECIAL NATURE

In the Article 6 of the KVKK, special personal datas are specified to be limited. They are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data of persons.

Company could process special personal data by providing additional measures determined by the Personal Data Protection Board in the following cases,

  • The processing of special personal data, other than health and sexual life, can be processed if the data subject gives explicit consent or when clearly prescribed by law.
  • Personal data related to health and sexual life, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, the data owner is open by the persons who are under the obligation to keep secrets or authorized companies and organizations. can be processed without seeking consent.

6. TRANSFER OF PERSONAL DATA

Company may transfer personal data at home or abroad in case there are conditions for transferring personal data, in accordance with the Articles of 8 and 9 of KVKK and with the additional regulations determined by the Personal Data Protection Board.

  • Transfer of personal data to third persons at home, Your personal data, provided that at least one of the data processing conditions stated in Articles 5 and 6 of KVKK and specified under the Section.3 of this Policy exists and provided that they comply with the basic principles of data processing, might be transferred by Company.
  • Transfer of personal data to third persons abroad, in the cases a person does not renders his/her explicit consent, your personal data, provided that at least one of the data processing conditions stated in Articles 5 and 6 of KVKK and specified under the Section.3 of this Policy exists and provided that they comply with the basic principles of data processing, might be transferred by Company.
  • In case the country to be transferred is not from the safe countries to be announced by the Personal Data Protection Board, upon undertaking adequate protection in writing in the relevant country by Company and the data controller, personal Data may be transferred abroad to third parties in case of at least one of the data processing conditions specified in article 5 and 6 of KVKK (see Policy Title 3), provided that the Board permits this process.

Within the scope of the general principles of KVKK and data processing conditions specified in Articles 8 and 9, Company may transfer data to the parties categorized in the table below:

CATEGORIZATION OF TRANSFERRED PARTSCOPEPURPOSE OF TRANSFER
Business PartnerThe parties that Company has established a business partnership with while conducting commercial activities
Limited sharing of personal data to ensure the fulfillment of the business partnership’s objectives
ProviderAccording to the instructions received from Company and in accordance with the contract with Company, Parties providing services for Company to continue commercial activitiesLimited transfer by receiving outsourced services from the supplier
Legally Authorized Public AuthorityPublic institutions and organizations authorized to receive information and documents from  CompanyLimited personal data sharing of relevant public institutions and organizations for the purpose of requesting information
Authorized Private CompanyLegal persons authorized to receive information and documents from CompanyLimited sharing of data for the purpose requested by the relevant private law persons within their legal authority

7. RIGHTS OF AND INFORMING THE EMPLOYEES

According to the Article 10 of KVKK whilst collecting personal data, the controller or the person authorised by him is obliged to inform the data subjects. As per the relevant article, as a data supervisor, In all cases where personal data processing is carried out by Company, the necessary structure has been established within the Company in order to enlighten the data owners. 

  • For the purpose of processing your personal data, please review Section 2.2 of the Policy 2.2. 
  • Please review Section 4 of the Policy for the parties to which your personal data is transferred and the purpose of the transfer.
  • Please review Section 3.2 and Section 3.3 of the Policy to the legal reasons for processing your personal data, which can be collected through different ways in physical or electronic media. see section
  • As you are the Data Subject, we inform you that you have the following rights pursuant to the Article 11 of KVKK:
    • to learn whether your personal data are processed or not, 
    • to request information if your personal data are processed, 
    • to learn the purpose of your data processing and whether this data is used for intended purposes
    • to know the third parties to whom your personal data is transferred at home or abroad,
    • to request the rectification of the incomplete or inaccurate data of your, if any, and to request notification of the operations carried out in compliance these to third parties to whom your personal data has been transferred,
    • -Despite being processed in accordance with the provisions of KVKK and other relevant legislations- to request erasure or destruction of the personal data in the case that the purposes requiring their processing disappear; and also, to request notification of the operations carried out in compliance these to third parties to whom your personal data has been transferred.
    • to object to the processing, exclusively by automatic means, of your personal data, which leads to an unfavourable consequence for the data subject, 
    • to request compensation for the damage arising from the unlawful processing of your personal data.

You can submit your applications regarding your rights specified above to our Company by filling out the Data Subject Application Form of Company which you can provide it by accessing to https://bonna.com.tr/ .Depending on the nature of your request, your applications shall be concluded free of charge as soon as possible and within thirty days at the latest; however, in case such act requires an additional cost, you may be charged for that according to the tariff to be determined by the Personal Data Protection Board.

Company firstly determines whether the person making the claim has a real right in the evaluation of the applications. However, Company may request detailed and additional information in order to better understand the demand when it deems necessary.

Copmany replies to the data subject applications, and is sent to the data subject in writing or electronically. If the application is refused, the reasons for rejection will be explained to the data subject

8. ERASURE, DESTRUCTION, ANONYMIZATION OF THE PERSONAL DATA OF THE EMPLOYEES

According to the Article 7 of KVKK, despite being processed under the provisions of the Law, personal data shall be erased, destructed or anonymized by Company in accordance with the Guidances published by Company, ex officio or upon demand by the Employee, upon disappearance of reasons which require the process.

9. CONSTRAINTS REGARDING THE APPLICATION AND THE SCOPE OF THE LAW

According to the Article 28 of the KVKK, the provisions of the Law shall not be applied in the following cases where:

  • personal data is processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with. 
  • personal data is processed for the purpose of official statistics and for research, planning and statistical purposes after having been anonymized. 
  • personal data is processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute a crime. 
  • personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned to maintain national defence, national security, public security, public order or economic security. 
  • personal data is processed by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings or execution proceedings. 

According to the Article 28 of the KVKK; in the cases listed below, Company is not under the obligation to inform her Employees and the Employees, excluding their rights to demand compensation, shall not be able to exercise their rights regulated in the Law where personal data processing:

  • is required for the prevention of a crime or crime investigation.
  •  is carried out on the data which is made public by the data subject himself.
  • is required for inspection or regulatory duties and disciplinary investigation and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of public institution, assigned and authorised for such actions, in accordance with the power conferred on them by the law. 
  • is required for protection of State’s economic and financial interests with regard to budgetary, tax-related and financial issues. 

10. ANNEX-1: DEFINITIONS

DEFINITION
Explicit ConsentFreely given, specific and informed consent.
AnonymizingRendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
EmployeeNatural person who are employees of Company
CandidateNatural person who are not employees of Company but who are candidates for working in Company in various ways
Personal Medical DataAll the medical information relating to an identified or identifiable natural person
Personal DataAll the information relating to an identified or identifiable natural person.
Data SubjectThe natural person, whose personal data is processed.
Processing of Personal DataAny operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
LawThe Law on the Protection of Personal Data (“KVKK” and/or “Law”) No: 6698, published in the Official Gazette on 07.04.2016, No: 29667,
Personal Data of Special NatureRace, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.
PolicyThe Policy on Processing and the Protection of Personal Data of Bonna Porselen Sanayı Ve Tıcaret Lımıted Sırketı
CompanyBonna Porselen Sanayı Ve Tıcaret Lımıted Sırketı
Business PartnersPersons that Company has partnered within the scope of contractual relations within the framework of its commercial activities
Data SubjectThe natural person, whose personal data is processed.
Data ProcessorThe natural or legal person who processes personal data on behalf of the controller upon his authorization.
Data ControllerThe natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.