Aydınlatma Metni en

1. INTRODUCTION
With the amendment made to Article 20 of the Constitution by Law No. 5982 in 2010, the right of individuals to request the protection of their personal data has been constitutionally guaranteed. The Personal Data Protection Law (“KVKK”), which was prepared over many years in alignment with European Union standards, was published in the Official Gazette on 07.04.2016 and entered into force. The KVKK largely mirrors the regulations of the European Union Directive 95/46/EC, and with its enactment, the protection of individuals' personal data has been comprehensively regulated under a legal framework.

Since the data of legal entities are already protected under the applicable laws in force, the KVKK—consistent with European Union regulations—only provides protection for personal data in relation to natural persons. The KVKK ensures the protection of individuals’ rights to privacy and information security, and includes provisions regarding the definition and classification of personal data, the processing of personal data, the obligations of natural and legal persons who process personal data, the establishment of the Personal Data Protection Authority, and procedures for lodging complaints.

GİMAS GİRGİN MAKİNE İMALAT MONTAJ VE MÜHENDİSLİK SAN. TİC. A.Ş., which operates in the field of steel construction manufacturing, demonstrates its sensitivity regarding the security of personal data as it does in its industrial activities. Within the framework of the company’s principles of high-quality service, respect for individual rights, transparency, and integrity, GİMAS places great importance on aligning its internal operations with the KVKK, its secondary legislation, the decisions and regulations of the Personal Data Protection Board, and other relevant legal regulations. For this reason, this Policy has been established and put into effect in order to ensure compliance with the Law and to enable our customers to benefit from the rights provided by the KVKK.

2..PURPOSE AND SCOPE
2.1. The purpose of this Policy is to ensure the effective implementation—by GİMAS, its employees, and business partners—of the regulations introduced in line with the fundamental principles outlined above for compliance with the Personal Data Protection Law (KVKK).

2.2. In accordance with the fundamental regulations envisaged in this Policy, all necessary administrative and technical measures will be taken within the operations of GİMAS for the processing and protection of personal data. Internal procedures will be established, comprehensive training will be conducted to raise awareness, and all necessary measures will be taken to ensure the compliance of employees and business partners with KVKK processes. Appropriate and effective auditing mechanisms will be established.

2.3. This Policy sets forth the core principles to be observed throughout these processes and outlines the obligations of GİMAS in guiding internal operations in accordance with the regulations introduced by KVKK. Through internal procedures to be established within the framework of KVKK and relevant legislation, GİMAS will define the compliance activities it will carry out to ensure the protection of personal data. All GİMAS employees are required to perform their duties in accordance with the provisions of this Policy, KVKK, and all other applicable legislation.

2.4. In cases where this Policy and the relevant legal provisions are not complied with, in addition to the legal and penal liabilities stipulated by the legislation, internal disciplinary sanctions shall be imposed by GİMAS, depending on the nature of the incident. These sanctions may extend to the termination of the employment contract for just cause within the framework of employment legislation.

3. DEFINITIONS

3.1. Explicit Consent: Refers to the consent that is related to a specific subject, based on information and expressed with free will.

Since the burden of proof for informing and enlightening the data subject lies with the data controller, the records of explicit consent and information notices shall be stored and protected in accordance with internal company procedures.

3.2. Anonymization: Refers to the process of rendering personal data impossible to associate with an identified or identifiable natural person, even when matched with other data.

It is possible to anonymize personal data for various purposes that do not violate the scope of KVKK or the requirement of explicit consent, provided it aligns with the data subject's request and/or approval. GİMAS will take the necessary measures to ensure that anonymized data cannot be re-associated with an identifiable individual through any means.

3.3. Data Subject: Refers to the natural person whose personal data is processed.

This includes the personal data of GİMAS's individual customers, potential customers, employees (active, former, or retired), employee candidates, representatives of supplier companies, customer representatives, interns and intern candidates, business partners, shareholders, visitors, website visitors, job applicants, natural person representatives of related legal entities, third parties, and other individual stakeholders. The processing and protection of such data shall be handled by GİMAS in accordance with KVKK and this Policy.

3.4. Personal Data: Refers to any information relating to an identified or identifiable natural person.

All information that makes a person identifiable is considered personal data. Examples include Turkish ID number, name-surname, email address, phone number, address, date of birth, and bank account number. Within GİMAS, these data are categorized, and each category is governed by internal rules specifying how, by whom, for what purpose, and for how long the data can be processed.

3.5. Processing of Personal Data: Refers to any operation performed on personal data—whether by automatic means or otherwise, provided that it is part of a data recording system—including but not limited to collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, retrieval, classification, or prevention of use.

3.6. Special Categories of Personal Data: Refers to data relating to an individual's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

3.7. Data Processor: Refers to a natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.

Internal procedures within GİMAS identify the personnel authorized to access and process personal data in accordance with KVKK, including the extent, purpose, duration of access, and the operations they are permitted to perform, all of which are determined department by department.

3.8. Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data, and who is responsible for the establishment and management of the data recording system.

Under KVKK, GİMAS qualifies as a data controller and will be registered in the VERBIS system. For this purpose, a Data Protection Management Representative (KVKS Representative) will be appointed within GİMAS to carry out operations under the data controller status. This representative will be responsible for the follow-up and coordination of all tasks and procedures within the scope of KVKK and regulations of the Personal Data Protection Board. In cases requiring a decision, the KVKS Representative shall consult the Legal Advisor and submit a recommendation to the management. Upon management’s approval, the decision will be implemented.

4. IMPLEMENTATION OF THE POLICY AND RESPONSIBILITIES

4.1. As the Data Controller, GİMAS is responsible for the application and organization of all internal processes and operations in accordance with this Policy.

4.2. The KVKS Management Representative shall be authorized and responsible for the implementation within GİMAS of all regulations, procedures, guidelines, standards, and training activities prepared in accordance with this Policy, with the support of the Legal Advisor and the internal audit unit.

4.3. All employees, business partners, visitors, and all relevant third parties across GİMAS are obliged to cooperate with the KVKS Management Representative in complying with this Policy and preventing any legal liabilities, risks, and threats that may arise under the relevant legislation.

4.4. All departments and governing bodies of GİMAS—together with their personnel—are obliged to act in accordance with this Policy and ensure compliance with its provisions.

4.5. This Policy shall be uploaded to the common information systems accessible to all GİMAS personnel at any time. In addition, it shall be published on the official website of GİMAS. Any amendments to the Policy shall be promptly updated both on the information systems and the website, thus ensuring that data subjects can access and be informed of the principles set forth in the Policy. The KVKS Management Representative shall be responsible for the publication of the Policy and announcements regarding amendments.

4.6. In the event of any conflict between the provisions of this Policy and the applicable legislation, GİMAS, in its capacity as Data Controller, acknowledges that the provisions of the legislation shall prevail. In such cases, the KVKS Management Representative shall be responsible for managing the process of updating the Policy in accordance with the legislative provisions.

5. PRINCIPLES OF PERSONAL DATA PROCESSING

5.1. General Principles for the Processing of Personal Data

GİMAS, in accordance with Article 4 of the Personal Data Protection Law (KVKK), undertakes to process personal data falling within the scope of this Policy in compliance with the following principles:

5.1.1. Compliance with the Law and the Principle of Good Faith
As a Data Controller and a prudent merchant, GİMAS undertakes to carry out its personal data processing activities in accordance with the Constitution, the KVKK, and all current and future legal regulations, and in compliance with the principle of good faith as stipulated in Article 2 of the Turkish Civil Code.

5.1.2. Accuracy and Being Up-to-Date When Necessary
GİMAS takes all necessary measures to ensure the accuracy and up-to-dateness of personal data to the extent allowed by current technology. Requests submitted by the data subject and situations deemed necessary by GİMAS shall be evaluated through administrative and technical mechanisms established by the company to correct and verify any inaccurate or outdated data.

5.1.3. Processing for Specific, Explicit, and Legitimate Purposes
Personal data is processed by GİMAS in a lawful manner, limited to the services currently provided or to be provided in the future, in accordance with the requirements of the applicable legislation. The purpose of processing is determined clearly and explicitly before the processing activity begins.

5.1.4. Being Relevant, Limited, and Proportionate to the Purpose of Processing
GİMAS processes personal data in a manner that is relevant, limited, and proportionate to the intended purpose. It is a fundamental principle to avoid processing personal data that is not related to or necessary for the intended purpose.

5.1.5. Retention for the Period Prescribed by Legislation or Required by the Purpose of Processing
Personal data is retained for the duration specified in the relevant legislation or for the period required to fulfill the purpose of processing. At the end of this period, the data is deleted, destroyed, or anonymized by GİMAS. All necessary administrative and technical measures will be taken to ensure the timely deletion of personal data once the retention period has expired.

6. CONDITIONS FOR PROCESSING PERSONAL DATA

Article 5 of the Personal Data Protection Law (KVKK) regulates the conditions under which personal data may be processed. GİMAS carries out personal data processing activities in accordance with the following conditions stipulated by the KVKK:

6.1. Presence of the Data Subject’s Explicit Consent
The primary rule for processing personal data is the presence of the data subject’s explicit consent. GİMAS shall process personal data only for the activities covered by such consent, provided that the data subject has been informed in a clear and unambiguous manner, as required by the KVKK, regarding the purpose of the processing.

6.2. Data Processing Required by Law
Even in the absence of explicit consent, if the processing of personal data is mandatory under applicable laws and regulations, such processing shall be deemed lawful, provided that other necessary criteria are also met.

6.3. Necessity of Data Processing for the Protection of Life or Physical Integrity Where Consent Cannot Be Obtained
If the data subject is unable to give consent due to actual impossibility or lacks legal capacity to consent, personal data may be processed if it is necessary to protect the life or physical integrity of the data subject or another person. GİMAS shall process personal data under such circumstances as permitted by the KVKK.

6.4. Necessity of Processing for the Establishment or Performance of a Contract
Personal data of the parties to a contract may be processed by GİMAS where it is directly related to the conclusion or performance of that contract.

6.5. Necessity of Processing to Fulfill the Data Controller’s Legal Obligation
As the Data Controller under the KVKK, GİMAS may process personal data when necessary to fulfill its legal obligations, within the limits defined by the applicable legislation.

6.6. Processing of Personal Data Made Public by the Data Subject
If the data subject has made their personal data public, GİMAS may process such data in a manner proportionate to the purposes for which the data was made public.

6.7. Necessity of Data Processing for the Establishment, Use, or Protection of a Right
Personal data may be processed by GİMAS to the extent necessary for the establishment, exercise, or defense of a legal right.

6.8. Legitimate Interests of the Data Controller
Personal data may be processed for the legitimate interests of GİMAS as the Data Controller, provided that such processing does not violate the fundamental rights and freedoms of the data subject. However, the legitimate interests of GİMAS shall never contradict the principles set forth by the KVKK, the intended purpose of data processing, or the essence of the constitutional rights guaranteed under the law.

7. CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

Article 6 of the Personal Data Protection Law (KVKK) regulates the conditions under which special categories of personal data may be processed. In accordance with this article, special categories of personal data include individuals’ ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data. Within GİMAS, all business processes and documentation have been reviewed to identify and classify such data. The processing of special categories of personal data by GİMAS is conducted in compliance with the following conditions as stipulated by the KVKK:

7.1. Processing Special Categories of Personal Data Based on the Explicit Consent of the Data Subject
As a rule, the processing of special categories of personal data without the explicit consent of the data subject is prohibited under KVKK. Accordingly, GİMAS will primarily seek to obtain the explicit consent of the data subjects prior to processing any special categories of personal data. The processing activities shall be carried out within the scope of the consent provided. Exceptions provided under KVKK regarding the processing of such data without explicit consent remain reserved. GİMAS shall first verify the presence of lawful grounds for data processing before engaging in such activities.

7.2. Processing Special Categories of Personal Data Without Explicit Consent Based on Legal Provisions
Where permitted by applicable legislation, special categories of personal data—excluding those relating to health and sexual life—may be processed without the explicit consent of the data subject. In such cases, GİMAS will carry out processing activities strictly within the scope of the relevant legal provision.

7.3. Processing Health and Sexual Life Data Without Explicit Consent for Medical and Healthcare Purposes
According to the KVKK, the processing of personal data relating to health and sexual life is conditional upon explicit consent. However, in the absence of such consent, processing is permitted for the purposes of preventive medicine, medical diagnosis, treatment, and care services, as well as for the planning and management of healthcare services and their financing, provided that the data is processed by persons or entities under a legal obligation of confidentiality. In such cases, GİMAS may process these data to the extent permitted by applicable legislation and under the obligation of confidentiality.

7.4. Measures to Be Taken for the Processing of Special Categories of Personal Data
The processing of special categories of personal data requires the implementation of additional security measures as determined by the Personal Data Protection Board. GİMAS undertakes to process such data in compliance with the Board’s specified requirements. The Personal Data Controller Team is responsible for monitoring these security measures and implementing them in GİMAS’s internal business processes as required by the Board.

8. TRANSFER OF PERSONAL DATA

Article 8 of the Personal Data Protection Law (KVKK) regulates the transfer of personal data to third parties within the country. As a general rule, personal data cannot be transferred to third parties without the explicit consent of the data subject. In the course of personal data transfers, the following criteria shall be observed. Compliance with all relevant legal provisions governing the transfer of personal data—and the adaptation of transfer processes in accordance with current or future legislation—is the responsibility of GİMAS and shall be monitored and coordinated by the KVKS Management Representative.

8.1. Domestic Transfer of Personal Data

8.1.1. Transfer Based on the Explicit Consent of the Data Subject
Pursuant to Article 8 of the KVKK, the primary condition for transferring personal data to third parties is the explicit consent of the data subject. GİMAS shall carefully determine which personal data the data subject consents to be shared domestically with third parties and proceed accordingly.

8.1.2. Transfer Without Explicit Consent Based on Conditions for Lawful Data Processing
In the absence of explicit consent, personal data may still be transferred domestically to third parties if one of the lawful processing conditions outlined in this Policy under Articles 6.2 through 6.8—and Article 5(2) of the KVKK—is fulfilled.

8.1.3. Transfer of Special Categories of Personal Data Without Explicit Consent Based on Legal Grounds
Special categories of personal data (excluding those relating to health and sexual life) may be transferred to third parties even without explicit consent, provided that such processing is expressly permitted by law. In such cases, GİMAS shall confirm that the conditions outlined in Article 7 of this Policy are met. The obligation to implement the necessary safeguards for processing special categories of personal data also applies to their transfer. These safeguards shall be monitored by the KVKS Management Representative and integrated into GİMAS’s internal procedures. Furthermore, any third party receiving such data must also implement the required safeguards. The identification and coordination of these measures shall be carried out under the supervision of the relevant department and the KVKS Management Representative.

8.2. International Transfer of Personal Data

8.2.1. Transfer Based on the Explicit Consent of the Data Subject
According to Article 9 of the KVKK, personal data may not be transferred abroad without the explicit consent of the data subject. Therefore, obtaining explicit consent from the data subject is the fundamental principle for international data transfers. GİMAS shall carefully determine which personal data is consented to be transferred abroad, and such transfers shall take into account the list of safe countries to be announced by the Personal Data Protection Board.

8.2.2. Transfer Without Explicit Consent Based on Conditions for Lawful Data Processing
If explicit consent is not obtained, personal data may still be transferred abroad under the conditions for lawful processing outlined in Articles 6.2 through 6.8 of this Policy and Article 5(2) of the KVKK, provided that the country receiving the data is included in the safe country list announced by the Personal Data Protection Board.

According to Article 9 of the KVKK, personal data may be transferred abroad only if the recipient country provides adequate protection. The list of safe countries will be monitored by the KVKS Management Representative and incorporated into GİMAS's internal procedures.

In cases where the destination country is not included in the safe country list, personal data may only be transferred if the data recipient in that country provides a written commitment to ensure adequate protection and if the transfer is approved by the Personal Data Protection Board.

9. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Even if personal data has been processed lawfully in accordance with the KVKK, other applicable legislation, and this Policy, it must be deleted, destroyed, or anonymized by GİMAS in cases where the reasons for processing no longer exist or upon the request of the data subject.

GİMAS shall establish an adequate administrative and technical infrastructure to comply with all current and future legislative provisions regarding the deletion, destruction, or anonymization of personal data.

10. OBLIGATIONS OF THE COMPANY AS DATA CONTROLLER

10.1. Obligation to Inform

In accordance with Article 10 of the KVKK, GİMAS shall inform the data subject at the time of collecting personal data on the following matters:

  • The identity of the data controller and, if applicable, its representative,

  • The purpose of processing personal data,

  • To whom and for what purpose the personal data may be transferred,

  • The method and legal basis of personal data collection,

  • The rights of the data subject.

To fulfill this obligation lawfully, GİMAS has reviewed its business processes and data collection channels, categorized the relevant issues, transferred them to its data inventory, and established the necessary mechanisms to ensure that data subjects can exercise their rights. Appropriate communication channels have been created.

10.2. Obligation to Ensure Data Security

10.2.1. Obligation to Prevent Unlawful Processing of Personal Data

GİMAS is obliged to take all necessary technical and administrative measures to prevent the unlawful processing of personal data, even when such processing is conducted in accordance with the KVKK, other applicable legislation, and the principles set forth in this Policy.

To this end, GİMAS has implemented systems to prevent unlawful processing, appointed relevant personnel for oversight and supervision, and established relevant procedures. GİMAS shall also ensure regular updates to these systems in accordance with legal and technical developments.

10.2.1.2. Technical Measures for Lawful Processing of Personal Data

  • GİMAS has analyzed personal data processing activities across departments and created a “Personal Data Inventory.” An administrative structure and software/hardware infrastructure have been established to monitor all processes from data collection to deletion. The KVKS Team is responsible for operation; the KVKS Management Representative is responsible for coordination, monitoring, audit, and evaluation.

10.2.2. Administrative Measures for Lawful Processing of Personal Data

  • GİMAS will provide its employees with the necessary documentation (including this Policy) and training related to KVKK compliance and lawful data processing. Participation in training will be documented.

  • Contracts and documents governing employment relationships will include clauses affirming compliance with KVKK, the prohibition of data disclosure, and confidentiality obligations that continue after employment ends. Noncompliance may result in disciplinary action, including termination.

  • Data access within GİMAS is limited to relevant personnel based on processing purpose and departmental responsibilities.

  • Department-specific data processing activities have been defined. Compliance will be monitored, and updates will be communicated to all staff through official channels. Once published, updates will be effective and binding without requiring individual notification. Coordination of audits and documents will be conducted by department heads in collaboration with the KVKS Management Representative.

10.2.2. Obligation to Prevent Unlawful Access to Personal Data

10.2.2.1. Technical Measures for Secure Access and Storage

  • GİMAS shall implement and regularly update technical precautions in line with advancements in technology, conduct penetration testing, and comply with any technical standards issued by the Personal Data Protection Board.

  • Technical solutions for access and authorization will be applied based on legal compliance requirements per department. Reports on implemented measures will be submitted to the KVKS Team and Management Representative. Necessary improvements will be made based on risk assessments.

  • GİMAS will deploy antivirus software, firewalls, and security systems on all devices and networks used to access personal data.

  • Technically qualified personnel will be employed for data security.

  • Access authorizations and restrictions shall be defined per department, and user accounts and devices will be managed accordingly. These responsibilities will be carried out by the KVKS Management Representative, KVKS Team, department managers, and IT department.

  • Measures will also apply to backup systems and disaster recovery planning, including contracts with third parties to ensure compliance with this Policy and KVKK requirements.

10.2.2.2. Administrative Measures for Secure Access and Storage

  • All personnel will be trained on the technical precautions necessary to prevent unlawful access to personal data.

  • Access rights will be restricted to relevant staff according to purpose. Not all personnel will have access to all personal data processed by GİMAS.

  • All employment-related documents will include clauses affirming confidentiality and legal obligations under the KVKK—even after employment ends.

  • Policies and procedures governing access rights will be prepared and communicated to all personnel.

  • Performance indicators and compliance targets will be established to monitor and prevent unauthorized access or processing of personal data.

10.2.3. Auditing the Measures Taken to Protect Personal Data

GİMAS has implemented systems to conduct and manage audits regarding the efficiency of both technical and administrative measures. The results of such audits are reported to the KVKS Management Representative for internal assessment and to implement improvement actions.

GİMAS has designed processes to raise awareness and monitor compliance of departments, business partners, and suppliers regarding personal data protection. Regular reporting, verification testing, and audits are carried out accordingly.

In accordance with Article 12 of the KVKK, GİMAS is also responsible for ensuring that third parties to whom data is transferred process and store personal data in compliance with this Policy and legal regulations. Contracts with third parties shall include clauses requiring compliance and granting GİMAS audit rights. GİMAS shall also educate its employees specifically regarding the responsibilities related to third-party data transfers.

11. RIGHTS OF THE DATA SUBJECT

Pursuant to Article 11 of the Personal Data Protection Law (KVKK), the data subject has the following rights against GİMAS, acting in its capacity as Data Controller:

  • To learn whether personal data is being processed and, if so, to request information about such processing,

  • To learn the purpose of processing and whether personal data is being used in accordance with that purpose,

  • To know the third parties to whom personal data has been transferred,

  • To request correction of incomplete or inaccurate data, and—if the necessary conditions are met—to request deletion or destruction of personal data, and to request that these corrections or deletions be notified to third parties to whom the data has been transferred,

  • To object to the occurrence of a result against them through the exclusive analysis of personal data by automated systems,

  • To request compensation for damages arising from the unlawful processing of personal data.

If data subjects submit their requests regarding the rights listed above in writing or through other methods determined by the Personal Data Protection Board, GİMAS will process and finalize such requests free of charge within the shortest time possible and no later than thirty (30) days, in accordance with Article 13 of the KVKK. If the requested process incurs additional costs, GİMAS may charge a fee as determined by the Board. If the request is found to be caused by an error on the part of GİMAS, any fee collected will be refunded to the data subject.

When responding to such requests, GİMAS must provide clear and understandable information in written or electronic form. Based on the nature of the request, GİMAS may accept the request or reject it with a justified explanation. If the request is accepted, it will be fulfilled promptly.

If the data subject’s request is rejected, if the response is deemed insufficient, or if no response is provided within the legal timeframe, GİMAS shall inform the data subject of their right to lodge a complaint with the Personal Data Protection Board within thirty (30) days.

12. ENFORCEMENT AND UPDATES

This Policy shall enter into force on the date it is approved by GİMAS Management. Any changes to the Policy and the procedures for implementing such changes shall be carried out by the KVKS Management Representative and shall become effective upon the approval of the General Manager of GİMAS.

As a standard procedure, the Policy is reviewed and updated once a year. However, GİMAS reserves the right to review and, if necessary, update, amend, or repeal this Policy and replace it with a new one at any time due to legislative changes, amendments to referenced technical standards, actions or decisions of the Personal Data Protection Board, or court rulings.

The authority to repeal this Policy entirely lies with the GİMAS Board of Directors.