Policy on the Protection of and Processing of Personal Data

1. INTRODUCTION

1.1. The Scope and The Purpose of the Policy

The Law on the Protection of Personal Data, No: 6698(“Law” and/or “KVKK”) has entered into force on 07/04/2016; and, The Processing and Protection of Personal Data Policy (“Policy”)by Bonna Porselen Sanayi Ve Ticaret Limited Sirketi (“Company”), operated under the name Bonna, and the protection and processing of personal data by the Company. It is aimed to determine the principles to be followed in fulfilling the related liabilities.

The Law on the Protection of Personal Data, No: 6698(“Law” and/or “KVKK”) has entered into force on 07/04/2016; and Compnay that is operated under the name of Bonna is intended to determine the principles to be followed in ensuring compliance with the Policy on the Processing and the Protection of Personal Data (“Policy”) and in fulfilling the obligations regarding the protection and processing of personal data by the Company.

Collected personal data of yours shall be processed within the context of the conditions and purposes of the Articles 5 and 6 of Law, No:6698, for the purposes of: performing the necessary work by our business units in order to make yours use of the products and the services provided by our Company, in general sense; recommending services to yours that are customized according to your likes and usage habits; ensuring the legal and commercial security of our Company and those who have a business relationship with our Company; determining and implementing our Company’s commercial and business strategies

The policy determines the processing conditions of personal data and sets out the main principles adopted by the Company in the processing of personal data. In this context, the Policy covers all personal data processing activities within the context of the Law, the subjects of all personal data processed by the Company and all personal data processed by the Company.

The matters regarding the processing of personal data of the company employees are not covered by this Policy and are regulated separately in the Processing and the Protection of Personal Data of the Employees Bonna Porselen Sanayi Ve Ticaret Limited Sirketi

Definitions regarding the terms used in the policy are included in ANNEX-1.

1.2. Effectiveness and Amendmend

The Policy has been published and made public on the website by the Company. In case of dispute between the current legislation, especially the Law, and the regulations in this policy, the provisions of the legislation shall be applied. The company reserves the right to make amendmends in the policy in line with the legal regulations. The current version of the policy is available on the website of the Company.

2. DATA SUBJECTS, PURPOSES OF PROCESSING PERSONAL DATA AND DATA CATEGORIES OF OUR COMPANY WHILE PROCESSING PERSONAL DATA ACTIVITIES

2.1. Data Subjects

Within the scope of this Policy, Data Subjects are all of the natural persons other than Company employees whose personal data are processed by the Company. In this framework, the categories of data subjects are as follows: Employees whose personal data we process; Employee/ Candidate/ Intern,

Our Suppliers,
Our Business Partners,
Visitors,
The third person and / or the persons with whom we have relations within the scope of our company’s interests and legal responsibilities

Data subject categories are specified for general information sharing. The fact that the data subject does not fall under any of these categories does not eliminate the quality of the data subject as specified in the law.

2.2. Purposes of Processing Personal Data By the Company

Your personal data and personal data of special personal data might be processed by the Company in accordance with the personal data processing conditions specified in the law and related legislation for the following purposes.

MAIN PURPOSES	SECONDARY PURPOSES
Performing the necessary works by our relevant business units in order to carry out the activities conducted by the Company, and and conducting business processes related to those	Planning and performance of business activities Event Management Planning and performance of corporate communication activities Creation and management of information technologies infrastructure Planning and execution of business continuity activities Planning, inspecting and execution of information security processes Planning and execution of business partners and suppliers’ access authorities to information Monitoring financial and accounting affairs Planning the activities / efficiency and effectiveness analysis of business activities Planning and execution of corporate management activities Planning, supporting and executing research and development activities Planning and execution of company training activities Management of relations with business partners and suppliers Execution of strategic planning activities Planning and execution of programs and trainings offered by the company in terms of scope and content
Planning and Executing the Company’s Human Resources Policies and Processes	Planning of human resources processes Fulfillment of labour contractual and regulatory obligations for the personnel, Monitoring and control of the work activities of the employees / candidates and interns Planning and execution of the activities on the Organizations of Corporate communication, corporate social responsibility and non-governmental organizations with which the participate. Planning and execution of benefits and vested benefits for the employees / candidates and interns Execution of human resource procurement processes Planning and monitoring performance evaluation processes Planning and execution of personnel job quitting procedures Planning and execution of the satisfaction and loyalty processes of the employees / candidates and interns Planning and execution of the processes of receiving and evaluating the suggestions of the personnel for the improvement of the company processes Planning and execution of Talent – Career development activities Planning and execution of intraco orientation activities Planning and execution of in-house appointment-promotion and turnover processes Planning and execution of in-company training activities Planning and execution of personnel / candidates and intern’s access to information Planning of Salary increase Improving the institutional processes of the staff
Ensuring the legal, technical and commercial-occupational safety of the company and the persons in business relationship with the Company	Ensuring the security of the company’s campuses and facilities Creating and following up visitor records Giving information to the authorized institutions arising from the legislation Ensuring the security of company operations Monitoring the legal affairs Planning and execution of the operational activities required to ensure that company activities are carried out in accordance with institutional procedures and relevant legislation Planning and execution of emergency management processes Planning and execution of company audit activities Planning and execution of occupational health and safety processes Ensuring that the data are correct and up to date Ensuring the security of company activities Planning and execution of the company’s financial risk processes Planning and execution of the company’s commercial risk processes Ensuring the security of the company’s fixtures and resources
Planning and execution of the activities required by the company to offer, recommend and promote her services to the people concerned.	Planning and executing company services Planning and execution of the processes of company marketing services Planning and execution of marketing services research activities Planning and execution of processes to establish and increase loyalty to the company Planning and execution of company satisfaction activities Planning and executing company programs and services

Personal Data Categories

Your personal data, categorized below by the Company, is processed in accordance with the personal data processing conditions contained in the law and related legislation:

CATEGORIZATION OF PERSONAL DATA	EXPLANATION
Identity	All information regarding the identity of the person in documents, such as: driver’s license, identity card, residence, passport, attorneyship identity, date of birth, gender, marital status, education, insurance, occupation
Contact Information	Information that enables one to contact the data subject, such as: phone number, address, e-mail
Location Data	Data that are clearly identified or identifiable to a natural person and located within the data recording system, to determine the location of the data subject; boat / transportation / travel information
Information of Family Members and Relatives of the Data Subject	Information about the family members and relatives of the personal data subject whose identity is clearly or identifiably belongs to a real person and included in the data recording system, processed to protect the legal interests of the relevant Institution and the data subject.
Risk Management Information	Personal data that is clearly identified or identifiable to a natural person and included in the data recording system, processed to manage the Company’s commercial, technical and administrative risks
Physical Area Security Information	At the entrance to the physical space, records such as camera records, license plate information records taken during the stay in the physical area and personal data related to the documents
Transaction Security Information	Your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities
Financial Information	Information, accommodation and expenditure information, personal data processed on documents and records, showing all kinds of financial results created according to the type of legal relationship established between the data subject and our company.
Candidate Information	Personal data processed by individuals who have applied to be employees of our company or who are evaluated as candidates in line with our human resources needs or who are in a working relationship with our Company in accordance with commercial custom and good faith.
Legal Process and Compliance Information	Personal data processed within the scope of determination of legal receivables and rights, starting a legal proceeding and performance of our debts and compliance with our legal obligations and Company policies
Audit and Inspection Information	Personal data processed within the scope of our company’s legal obligations and compliance with Company policies
Data of Special Nature	Race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are the personal data of special nature
Marketing Information	Social media accounts, shopping information, invoice information, consumption preferences, data that shall be used by the Company in marketing activities, which are clearly identifies by a certain or identifiable natural person and included in the data recording system.
Request/ Complaint Management Information	Personal data regarding the receiving and evaluation of any requests or complaints addressed to our company
Reputation Management Information	nformation collected for the purpose of protecting the commercial reputation of our company and information related to the evaluation reports and actions taken
Incident Management Information	Personal data processed in order to take necessary legal, technical and administrative measures against events that emerged to protect the commercial rights and interests of our company.
AudioVisual Data	Visual and auditory recordings that are clearly identified or identifiable to a natural person and are included in the data recording system and associated with the data subject.

3. PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA

3.1. Principles of the Processing of Personal Data

The personal data is processed in accordance with the personal data processing principles in Article 4 of KVKK by Company

It is imperative to comply with these principles for each personal data processing activity.

Lawfulness and conformity with rules of bona fides.
Accuracy and being up to date, where necessary.
Being processed for specific, explicit and legitimate purposes
Being relevant with, limited to and proportionate to the purposes for which they are processed.
Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.

3.2. Conditions of the Processing of Personal Data

Accordingly, the basis of the personal data processing activity might be only one of the conditions mentioned beloved, and more than one of these conditions might be the basis of the same personal data processing activity.

Having the Explicit Consent of the Data Subject, The primary condition for processing of the personal data is the explicit consent of of the data subject. The explicit consent of the data subject has to be given freely, specific and informed consent.
It Must Clearly Provided For By The Laws, Personal data of the data subject may be processed in accordance with the law without seeking the explicit consent of the data subject in cases where they are clearly provided for by the Laws.
Where it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his / her consent or whose consent is not deemed legally valid, Personal Data of the data subject might be processed in cases where it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his / her consent or whose consent is not deemed legally valid.
Direct relation with the conclusion or fulfilment of the contract, Personal Data of the data subject might be processed in cases where processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of contract
Legal Obligation, Personal Data of the data subject might be processed in cases where it is mandatory for the controller to be able to perform our Company’s legal obligations
Making the data available to the public by the data subject himself / herself, Within the boundaries of making the personal data available to the public, personal Data of the data subject might be processed in cases where the data concerned is made available to the public by the data subject himself
Where data processing is mandatory for the establishment, exercise or protection of any right, Personal Data of the data subject might be processed in cases where data processing is mandatory for the establishment, exercise or protection of any right.
Where data processing is mandatory for the legitimate interests of our Company, Personal Data of the data subject might be processed in cases where it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

3.3 CONDITIONS ON THE PROCESSING OF PERSONAL DATA OF SPECIAL NATURE

In the Article 6 of the KVKK, special personal datas are specified to be limited. They are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data of persons.

Company could process special personal data by providing additional measures determined by the Personal Data Protection Board in the following cases,

The processing of special personal data, other than health and sexual life, can be processed if the data subject gives explicit consent or when clearly prescribed by law.
Personal data related to health and sexual life, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, the data owner is open by the persons who are under the obligation to keep secrets or authorized companies and organizations. can be processed without seeking consent.

4. TRANSFER OF PERSONAL DATA

Company may transfer personal data at home or abroad in case there are conditions for transferring personal data, in accordance with the Articles of 8 and 9 of KVKK and with the additional regulations determined by the Personal Data Protection Board

Transfer of personal data to third persons at home, Your personal data, provided that at least one of the data processing conditions stated in Articles 5 and 6 of KVKK and specified under the Section.3 of this Policy exists and provided that they comply with the basic principles of data processing, might be transferred by Company.
Transfer of personal data to third persons abroad, in the cases a person does not renders his/her explicit consent, your personal data, provided that at least one of the data processing conditions stated in Articles 5 and 6 of KVKK and specified under the Section.3 of this Policy exists and provided that they comply with the basic principles of data processing, might be transferred by Company.

In case the country to be transferred is not from the safe countries to be announced by the Personal Data Protection Board, upon undertaking adequate protection in writing in the relevant country by Company and the data controller, personal Data may be transferred abroad to third parties in case of at least one of the data processing conditions specified in article 5 and 6 of KVKK (see Policy Title 3), provided that the Board permits this process.

Within the scope of the general principles of KVKK and data processing conditions specified in Articles 8 and 9, Company may transfer data to the parties categorized in the table below:

CATEGORIZATION OF TRANSFERRED PART	CONTEXT	PURPOSE OF TRANSFER
Business Partner	Parties with which the Company has established a business partnership while carrying out her commercial activities	Limited sharing of personal data to ensure the fulfillment of the business partnership’s objectives
Provider	Parties that provide services for the Company to proceed her commercial activities in accordance with the instructions received from the Company and based on the contract with the Company.	Limited transfer by receiving outsourced services from the supplier
Legally Authorized Public Authority	Public institutions and organizations legally authorized to receive information and documents from the Company	Limited personal data sharing of relevant public institutions and organizations to request information
Authorized Private Company	Private persons legally authorized to receive information and documents from the Company	Limited sharing of data for the purpose requested by the relevant private persons within their legal authority

5. RIGHTS OF AND INFORMING THE DATA SUBJECTS

According to Article 10 of the Law, data subjects must be informed with regard to the processing of personal data before or while the processing of personal data at the latest. In accordance with the this article, the necessary structure within the Institution has been established to ensure that the data subject are informed in every situation where the personal data processing activity is carried out by the Company as the data controller. Within this context;

For the purpose of processing your personal data, please See the section 2.2 of the Policy.
Please See the section 4 of the Policy for the parties to which your personal data is transferred and for the purpose of the transfer.
Please See the sections 3.2 and 3.3 of the Policy to review the conditions for processing your personal data, which can be collected through different channels in physical or digital media. As you are the Data Subject, we inform you that you have the following rights pursuant to the Article 11 of KVKK:
- to learn whether your personal data are processed or not,
- to request information if your personal data are processed,
- to learn the purpose of your data processing and whether this data is used for intended purposes
- to know the third parties to whom your personal data is transferred at home or abroad,
- to request the rectification of the incomplete or inaccurate data of your, if any, and to request notification of the operations carried out in compliance these to third parties to whom your personal data has been transferred,
- Despite being processed in accordance with the provisions of KVKK and other relevant legislations- to request erasure or destruction of the personal data in the case that the purposes requiring their processing disappear; and also, to request notification of the operations carried out in compliance these to third parties to whom your personal data has been transferred.
- to object to the processing, exclusively by automatic means, of your personal data, which leads to an unfavourable consequence for the data subject,
- to request compensation for the damage arising from the unlawful processing of your personal data.

You can submit your applications regarding your rights specified above to our Company by filling out the Data Subject Application Form of our Company which you could provide it by accessing to the Website of the Company. Depending on the nature of your request, your applications shall be concluded free of charge as soon as possible and within thirty days at the latest; however, in case such act requires an additional cost, you may be charged for that according to the tariff to be determined by the Personal Data Protection Board.

During the evaluation of the applications, the Company, first, determines whether the person making the claim has a real right to do so. In addition to this, the Company may request detailed and additional information in order to understand the request in a better way, when it deems necessary.

Responses to data subject applications are reported to them in writing or electronically. If the application is refused, the reasons for rejection shall be explained to the data subject on by explaining the reasoning of the refusal as well.

If personal data are not collected directly from the data subject;

Within a reasonable time from the acquisition of personal data,
If the personal data will be used for data communication with the person, during the initial communication,
If personal data is to be transferred, at the latest when personal data are to be transferred for the first time,

activities regarding the informing of data subjects shall be carried out by the company

6. ERASURE, DESTRUCTION, ANONYMIZATION OF THE PERSONAL DATA OF THE EMPLOYEES

According to the Article 7 of KVKK, despite being processed under the provisions of the Law, personal data shall be erased, destructed or anonymized by Company in accordance with the Guidances published by Company, ex officio or upon demand by the Employee, upon disappearance of reasons which require the process.

7. CONSTRAINTS REGARDING THE APPLICATION AND THE SCOPE OF THE LAW

The provisions of the Law shall not be applied in the following cases where:

personal data is processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.
personal data is processed for the purpose of official statistics and for research, planning and statistical purposes after having been anonymized.
personal data is processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute a crime.
personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned to maintain national defence, national security, public security, public order or economic security.
personal data is processed by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings or execution proceedings.

In the cases listed below, the Company is not under the obligation to inform her Employees and the Employees, excluding their rights to demand compensation, shall not be able to exercise their rights regulated in the Law where personal data processing:

is required for the prevention of a crime or crime investigation.
is carried out on the data which is made public by the data subject himself.
is required for inspection or regulatory duties and disciplinary investigation and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of public institution, assigned and authorised for such actions, in accordance with the power conferred on them by the law.
is required for protection of State’s economic and financial interests with regard to budgetary, tax-related and financial issues.

8. ANNEX-1: DEFINITIONS

DEFINITION
Explicit Consent	Freely given, specific and informed consent.
Anonymizing	Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
Employee	Real Person that is the Employee of the Company
Candidate	Natural persons who are not the employees of the company, but who have the status of Candidates of the Company through various methods
Personal Medical Data	Any health information about an identified or identifiable natural person
Personal Data	All the information relating to an identified or identifiable natural person.
Data Subject	The natural person, whose personal data is processed.
Processing of Personal Data	Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
Law	The Law on the Protection of Personal Data No: 6698, published in the Official Gazette, No: 28677 , on April 7, 2016
Personal Data of Special Nature	Race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.
Policy	Policy on the Processing and the Protection of Personal Data of the Company
Company / Company	Bonna Porselen Sanayi Ve Ticaret Limited Sirketi
Business Partners	Persons with whom the Company has established a partnership within the scope of contractual relations within the framework of her business activities.
Data Processor	The natural or legal person who processes personal data on behalf of the controller upon his authorization.
Data Controller	The natural person who determines the purpose and means of processing personal data and is responsible for managing the data registry system that the data are retained in a systematical way