Personal Data Processing and Protection Policy
PROCESSING AND PROTECTION OF PERSONAL DATA POLICY
Personal Data Storage and Disposal Policy (Policy), PİLOT GARAGE OTOMOTİV INCORPORATED COMPANY (“Company”), whose personal data is processed; Keeping personal data of employee, employee candidate, dealer employee, dealer official, apprentice, supplier, product or service purchaser, web page visitor in accordance with the Turkish Constitution, international agreements, Personal Data Protection Law No. 6698 (Law) and other relevant legislation It aims to determine and announce the business rules of
The category of natural or legal persons to whom the data controller transfers personal data.
Consent on a particular subject is based on the information and expressed with free will.
Making the personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Environments where personal data can be created, read, changed, and written by electronic devices.
All written, printed, visual etc. other than electronic media. other environments.
A natural or legal person who provides services within the framework of a certain contract with the company.
The natural person whose personal data is processed.
Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection, and backup of the data.
Deletion, destruction, or anonymization of personal data
Law No. 6698 on the Protection of Personal Data.
Personal Data Protection Board.
Any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.
Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory
Personal data processing activities are carried out by data controllers depending on their business processes; The inventory, which is created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group, and the data subject group, by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures are taken regarding data security.
Processing of Personal Data
Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system Any operation performed on data such as
PİLOT GARAGE OTOMOTİV INCORPORATED COMPANY
Special Qualified Personal Data
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
The deletion, destruction, or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all of the personal data processing conditions in the law are eliminated.
Personal Data Retention and Disposal Policy
The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Recording System
The registration system in which personal data is processed and structured according to certain criteria.
The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System
An information system created and managed by the Presidency, accessible over the internet, to be used by the data controllers in the application to the Registry and other related transactions related to the Registry.
Data Controllers Registry Information System
Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.
Personal Data is processed by the Company in accordance with the procedures and principles stipulated in the Law and this Policy. The Company acts with the following principles when processing Personal Data:
- Personal Data is processed in accordance with the relevant legal rules and the requirements of the honesty rule.
- It is ensured that Personal Data is correct and up-to-date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated are carefully considered.
- Personal Data; processed for specific, explicit, and legitimate purposes. Being legitimate means that the Personal Data processed by the Company is related to and necessary for the work it does or the service it provides.
- Personal Data is related to the purpose in order to achieve the purposes determined by the Company, and the processing of personal data that is not related to the realization of the purpose or is not needed is avoided. It limits the processed data only to what is necessary for the realization of the purpose. Personal data processed in this context are related, limited, and measured for the purpose for which they are processed.
- If there is a period foreseen for data storage in the relevant legislation, it complies with these periods; otherwise, personal data will be retained only for the period necessary for the purpose for which they are processed. In the event that there is no valid reason for further preservation of personal data, the data in question is deleted, destroyed, or anonymized.
Personal data cannot be processed without the explicit consent of the Data Owner in accordance with Article 5 of the law. However, as per the regulation in the same article; In case of the existence of one of the conditions below, personal data will be processed without seeking the explicit consent of the Data Owner.
-Explicitly Prescribed in Laws
If the personal data of the data owner is expressly stipulated in the law, in other words, if there is a clear provision in the law regarding the processing of personal data, the existence of this data processing condition may be mentioned. For example: Keeping the personnel file of the employee in accordance with the provisions of the Labor Law or the Occupational Health and Social Security Law.
-Failure to Obtain Explicit Consent of the Related Person Due to Actual Impossibility
The personal data of the data owner may be processed if it is necessary to process personal data in order to protect the life or bodily integrity of the person or another person who is unable to express his or her consent due to actual impossibility or whose consent will not be valid.
-Directly Related to the Establishment or Performance of a Contract
Provided that it is directly related to the establishment or performance of a contract, personal data may be processed by the company without the explicit consent of the data subjects if it is necessary to process the personal data of the parties to the contract.
-Company (Data Controller) Obligation to Fulfill its Legal Obligation
The personal data of the data owner may be processed in cases where processing is necessary for our company to fulfill its legal obligations. For example: obtaining the employee's bank and account information, asking whether he is married, his dependents, whether his spouse is working or not, and social insurance information in order to be able to pay the employee a salary.
-Personal Data Made Public by the Data Owner Himself
In case the data owner makes his personal data public, personal data may be processed by our company, limited to the purpose of making it public.
-Compulsory Data Processing for the Establishment or Protection of a Right
If data processing is necessary for the establishment, exercise, or protection of a right, the personal data of the data owner may be processed. For example: using some data for proof in a lawsuit filed by the employee
-Mandatory Data Processing for the Legitimate Benefits of Our Company, Provided Not to Harm the Fundamental Rights and Freedoms of the Data Owner
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company. For example: Processing the personal data of the employees to be taken as basis in the arrangement of their promotions, salary increases, or social rights or in the distribution of duties and roles in the process of restructuring the enterprise, provided that it does not harm the fundamental rights and freedoms of the employees.
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are of special nature. is personal data.
Pursuant to Article 6 of the Law, sensitive personal data cannot be processed without the explicit consent of the data owner. However, sensitive personal data other than the sexual life and health of individuals may be processed without the explicit consent of the data owner in cases stipulated by the laws.
Personal data related to health and sexual life are only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services, and financing, by persons or authorized institutions or organizations under the obligation of confidentiality without seeking the explicit consent of the person concerned. can be processed. In all cases, it is obligatory to take adequate measures determined by the Board (Personal Data Protection Board) in the processing of sensitive personal data.
Our company has the health information of our employees to the extent stipulated by the laws and is processed within the scope of the laws. Care is taken not to keep sensitive personal data under any other conditions.
Our company informs the data owners before the Personal Data is processed, in accordance with Article 10 of the Law. In this context, our Company fulfills the Obligation of Disclosure during the acquisition of personal data. Within the scope of the disclosure obligation, the notification to be made to the Data Owners includes the following elements.
- Identity of the Data Controller and his representative, if any
- For what purpose personal data will be processed
- To whom and for what purpose the processed personal data can be transferred
- Method and legal reason for collecting personal data
- Rights of data owners listed in Article 11 of the KVKK
Our company provides the necessary information if the data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the KVKK.
-Domestic Transfer of Personal Data
Use of Article 8 of the Law As a rule of Personal Data, third parties cannot be transferred except with the explicit consent of the Data Owner. However, in case of one of the situations listed in article 4 of this Policy, in which the explicit consent of the Data Owner is not sought, it is possible to sell the Personal Data to third parties in the country without the explicit consent of the Data Owner.
As for Special Quality Personal Data, it is possible to leave the data without seeking the explicit consent of the data owner in case of user presence, one of the provisions specified in the 3rd paragraph of Article 6 of the Law, provided that adequate precautions are taken.
-Transferring Personal Data Abroad
Use of Article 9 of the Law As a rule Personal Data, cannot be transferred abroad without the explicit consent of the Data Owner. However, in case one of the following conditions exists, the responsibility of the owner of the Personal Data of foreign third parties without the explicit consent of the Data Owner:
- Existence of one of the situations specified in the 2nd and 3rd products of this Policy, where the consent of the Data Owner is not sought.
- Availability of adequate protection in the foreign country to which Personal Data will be transferred.
- In the absence of adequate protection, the data controllers of Turkey and related foreign entities undertake in writing to provide adequate protection and the Board has permission.
Countries with adequate protection are determined and announced by the Board.
Personal Data, without prejudice to the provisions of international conventions, can be transferred domestically only with the opinion of the relevant public institution or the lessee, with the provisions of which the interests of Turkey or the Data Owner will be seriously harmed.
-Third Parties to whom Personal Data may be Transferred
The Company may transfer the Personal Data to the specified third parties, domestically or abroad, with real or legal persons, by the 8th and 9th users of the Law, to use the personal data for the purposes specified in this Policy: custody, consultants, financial advisors, lawyers, audit firms, service providers, cooperating firms, dealers, authorities, authorized public institutions and established.
Your personal data will be used to fulfill the purposes set forth in the Company legislation by complying with the limits stipulated in the KVKK. The processing purposes are; executing emergency management processes, executing information security processes, executing employee candidate/intern / student selection and placement processes, executing the application processes of employee candidates, executing employee satisfaction and loyalty processes, fulfilling the obligations arising from the employment contract and legislation for employees, side effects for employees Execution of rights and interests processes
executing audit / ethical activities, executing vehicle inquiry processes, executing dealer opening processes, executing appointment processes, executing training activities, executing access authorizations, executing activities in accordance with the legislation, executing financial and accounting works, executing company/product / services loyalty processes, physical providing space security, executing assignment processes, following and executing legal affairs, conducting internal audit/investigation / intelligence activities, conducting communication activities, planning human resources processes, conducting / auditing business activities, carrying out occupational health/safety activities, improving business processes. purchase and evaluation, execution of business continuity activities, execution of goods / services purchasing processes, execution of goods / services after-sales support services, goods / services Execution of meat sales processes, execution of goods / services production and operation processes, execution of customer relations management processes, execution of activities for customer satisfaction, organization and event management, execution of marketing analysis studies, execution of performance evaluation processes, execution of advertising / campaign / promotion processes, risk execution of management processes, execution of storage and archive activities, execution of contract processes, follow-up of requests / complaints, ensuring the security of movable goods and resources, conducting supply chain management processes, conducting wage policy, conducting marketing processes of products / services, ensuring the security of data controller operations, investment processes, carrying out talent / career development activities, informing authorized persons, institutions and organizations, conducting management activities.
Personal data can be contacted face-to-face with the person concerned via websites, applications, e-mail, and third-party digital channels including recruitment portals, or via pilot garage online software, contracts, applications, forms, call center, sales, and marketing unit, and telephone. It can be collected by means of automatic or non-automatic means, with appointment records, video recordings made at openings and organizations, security camera recordings, via the internet, and through interviews.
KVKK lists the conditions for the processing of personal data in paragraph 2 of Article 5. If the purposes of processing personal data by a data controller can be evaluated within the framework of the personal data processing conditions listed in KVKK, that data controller can process personal data in accordance with the law. In this context, personal data processing activities are carried out by the Company in cases where the personal data processing purposes pursued by the Company can be evaluated within the scope of the personal data processing conditions regulated in the KVKK. The company does not engage in any personal data processing activities that do not fall within the scope of personal data processing conditions.
The personal data processing conditions in the KVKK are as follows;
• Having the explicit consent of the person concerned,
• It is clearly stipulated in the laws,
• It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized,
• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• It has been made public by the data owner himself,
• Data processing is mandatory for the establishment, exercise, or protection of a right,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.
The basic processing condition for sensitive personal data is express consent and the Company does not basically aim to process sensitive personal data. However, your personal data of special nature, which we need to process due to our activities or that you have given your consent with your explicit consent, are also processed in a measured manner within the scope of the legislation.
The conditions listed in the KVKK for the processing of special-quality personal data are as follows;
• Having the explicit consent of the person concerned,
• Explicitly stipulated in-laws for personal data of special nature other than health and sexual life,
• Personal data related to health and sexual life only; It may be processed without the explicit consent of the person concerned, by persons or authorized institutions and organizations under the obligation of secrecy, for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing.
One or more personal data processing conditions that make a personal data processing activity lawful may exist at the same time. In order to realize our aforesaid purposes, it is necessary to process your data, which we mentioned above. While transferring identity information to our company, data that is not actually within our processing purposes can also be transferred to us. Within the scope of administrative and technical measures, we delete and/or anonymize the data in question at the end of the periods stipulated in the legislation, but this is not possible under all circumstances. In this case, it is necessary to apply for your explicit consent in order to process the data in question.
The policy is reviewed as needed and the necessary sections are updated.
The policy is deemed to have entered into force after its publication on the Company's website. In the event that it is decided to be revoked, old copies of the Policy with wet signatures are canceled and signed by the KVK team leader (by writing canceled) and stored in the KVKK folder for at least 5 years.