Hakkımızda

“Policy on the Protection and Processing of Personal Data"

1. INTRODUCTION

In today's digital age, the right of individuals to the protection of their personal data has become a fundamental aspect of privacy and human rights. The General Data Protection Regulation (GDPR), which came into force on May 25, 2018, sets out comprehensive rules for the processing and safeguarding of personal data within the European Union and beyond.

In accordance with GDPR principles, personal data refers only to data concerning identified or identifiable natural persons. The GDPR ensures the protection of individuals’ rights to privacy and information security, and includes provisions regarding the definition and classification of personal data, the processing of such data, the obligations of data controllers and processors, the establishment of supervisory authorities, and procedures for lodging complaints.

GIMAS GİRGİN MAKİNE İMALAT MONTAJ VE MÜHENDİSLİK SAN. TİC. A.Ş., operating in the field of steel structure manufacturing, is committed to ensuring the security of personal data with the same level of diligence it applies to its industrial operations. Within the framework of its core principles high service quality, respect for individual rights, transparency, and integrity GIMAS strives to align its internal processes with the GDPR, relevant guidelines issued by supervisory authorities, and other applicable international data protection standards.

Accordingly, this Policy has been established to ensure full compliance with the GDPR and to allow our customers and stakeholders to exercise the rights afforded to them under this regulation.

2. PURPOSE AND SCOPE

2.1. The purpose of this Policy is to ensure that the data protection principles outlined above, in alignment with the General Data Protection Regulation (GDPR), are effectively implemented across GIMAS, including by its employees and business partners.

2.2. In accordance with the key principles set out in this Policy, GIMAS shall take all necessary administrative and technical measures for the processing and protection of personal data, establish internal procedures, provide relevant training to raise awareness, and implement appropriate monitoring mechanisms to ensure full compliance with GDPR by its employees and business partners.

2.3. This Policy defines the fundamental principles to be observed in all data processing activities and outlines GIMAS’s responsibilities for guiding its internal operations in accordance with the GDPR and other applicable legislation. The internal procedures to be established under the GDPR will govern GIMAS’s data protection compliance efforts. All GIMAS employees are required to carry out their duties in full compliance with this Policy, the GDPR, and any other applicable data protection regulations.

2.4. In the event of non-compliance with this Policy or relevant legal provisions, GIMAS reserves the right to take disciplinary action, including depending on the nature of the violation termination of the employment contract on justified grounds, in addition to any legal or regulatory sanctions provided under applicable law.

3. DEFINITIONS

3.1. Explicit Consent

Refers to freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

The burden of proof for obtaining and documenting explicit consent rests with the data controller. Therefore, all consent records and associated disclosures shall be stored and protected in accordance with the company’s internal procedures.

3.2. Anonymization
Refers to the process by which personal data is rendered anonymous in such a manner that the data subject is not or no longer identifiable, even when cross-referenced with other data.

Personal data may be anonymized in line with GDPR requirements and, where necessary, based on the data subject’s request or consent. GIMAS shall take all necessary measures to ensure that anonymized data cannot be re-identified through any method.

3.3. Data Subject

Refers to the identified or identifiable natural person to whom the personal data relates.

This includes individual customers of GIMAS, potential customers, current and former employees, job applicants, representatives of suppliers and client institutions, interns and intern candidates, business partners, shareholders, visitors, website users, applicants, and representatives of legal entities, as well as any other natural person stakeholder whose personal data is processed and protected by GIMAS under this Policy and in accordance with GDPR.

3.4. Personal Data

Refers to any information relating to an identified or identifiable natural person.

Examples include, but are not limited to: national identity numbers, names, email addresses, telephone numbers, residential addresses, birth dates, and bank account numbers. Within GIMAS, personal data is categorized, and internal policies define who can process each category of data, for what purposes, and for how long.

3.5. Processing of Personal Data

Means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, or destruction.

3.6. Special Categories of Personal Data

Includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation, as well as data relating to criminal convictions and offences or related security measures.

3.7. Data Processor

Refers to a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller and under its authority.

GIMAS defines, by internal procedures, which personnel have access to personal data, the scope and purpose of their access, and the limitations on the actions they can perform on such data.

3.8. Data Controller

Refers to a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

GIMAS acts as the data controller under the GDPR. Within the company, a Data Protection Officer (DPO) or a designated Data Protection Representative shall be appointed to oversee and coordinate compliance efforts. This representative will be responsible for the implementation and monitoring of all GDPR-related processes. In matters requiring formal decision-making, the representative shall consult with legal counsel before presenting compliance recommendations to management for final approval and execution.

4. IMPLEMENTATION AND RESPONSIBILITIES

4.1. GIMAS, in its capacity as the Data Controller, is responsible for ensuring that all internal operations and processes are conducted in accordance with this Policy.

4.2. The implementation of regulations, procedures, guidelines, standards, and training activities developed in line with this Policy shall be coordinated by the designated Data Protection Representative (DPR), with the support of the Legal Advisor and internal audit department where necessary.

4.3. All employees, business partners, visitors, and other relevant third parties across GIMAS are required to cooperate with the Data Protection Representative to ensure compliance with this Policy and to mitigate legal liabilities, risks, and threats that may arise under applicable data protection legislation.

4.4. All GIMAS departments and units  including their personnel are obliged to act in accordance with this Policy and to ensure that its provisions are properly implemented.

4.5. This Policy shall be made continuously accessible to all personnel by uploading it to GIMAS’s internal information systems. Additionally, the Policy will be published on the GIMAS corporate website. Any updates to the Policy will be promptly reflected both in internal systems and on the website to ensure that data subjects are informed of the current principles outlined in the Policy. The publication of the Policy and its subsequent updates shall be managed by the Data Protection Representative.

4.6. In the event of any conflict between the provisions of this Policy and applicable legislation, GIMAS, in its capacity as Data Controller, acknowledges that the provisions of the legislation shall prevail. The Data Protection Representative shall be responsible for managing the process of updating the Policy to ensure alignment with the legal requirements in such cases.

5. PRINCIPLES FOR PERSONAL DATA PROCESSING

5.1. General Principles in the Processing of Personal Data

GIMAS, in accordance with Article 5 of the General Data Protection Regulation (GDPR), undertakes to process all personal data falling under the scope of this Policy in compliance with the following principles:

5.1.1. Lawfulness, Fairness, and Transparency

GIMAS, as the Data Controller and in line with its duty to act as a prudent commercial operator, shall carry out all personal data processing activities lawfully, fairly, and in a transparent manner, in accordance with the applicable laws and regulations, including the GDPR and relevant international standards.

5.1.2. Accuracy and Up-to-Dateness

GIMAS shall take all reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. Administrative and technical mechanisms shall be established to correct or verify inaccurate or outdated personal data either upon the data subject’s request or as deemed necessary by GIMAS.

5.1.3. Purpose Limitation

Personal data shall be collected and processed for specified, explicit, and legitimate purposes. GIMAS ensures that the purpose of processing is clearly defined prior to the collection of any personal data, and that data is not further processed in a manner incompatible with those purposes.

5.1.4. Data Minimization

Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. GIMAS avoids the collection or processing of personal data that is not required for its declared purposes.

5.1.5. Storage Limitation

Personal data shall be retained only for as long as necessary for the purposes for which it was collected or as required by applicable legal or regulatory obligations. At the end of the relevant retention period, personal data will be securely deleted, destroyed, or anonymized by GIMAS. Appropriate administrative and technical safeguards will be implemented to ensure timely and compliant data disposal.

6. LEGAL BASES FOR PROCESSING PERSONAL DATA

Under Article 6 of the General Data Protection Regulation (GDPR), personal data may only be processed when there is a valid legal basis. GIMAS ensures that all data processing activities are carried out in accordance with at least one of the lawful grounds specified below:

6.1. Consent of the Data Subject

As a general rule, GIMAS processes personal data only where the data subject has given clear, informed, and unambiguous consent for specific purposes. This consent must be freely given and based on adequate information about the intended processing activities.

6.2. Compliance with a Legal Obligation

In certain cases, GIMAS may be required to process personal data to comply with its legal obligations under applicable laws and regulations. In such instances, consent from the data subject is not required, provided the processing is necessary and proportionate.

6.3. Vital Interests of the Data Subject or Another Individual

Where it is not possible to obtain consent due to physical or legal incapacity, and the processing is necessary to protect the vital interests of the data subject or another individual (e.g., life or physical integrity), GIMAS is permitted to process the data.

6.4. Performance of a Contract

If the processing of personal data is necessary for the conclusion or performance of a contract to which the data subject is a party, GIMAS may process such data without requiring separate consent.

6.5. Legal Obligations of the Data Controller

GIMAS may process personal data when such processing is necessary to fulfill its legal obligations as a Data Controller, provided the scope of the processing remains within the boundaries of that obligation.

6.6. Public Disclosure by the Data Subject

Where the data subject has made their personal data publicly available, GIMAS may process such data in a manner that is consistent with the scope and purpose of its disclosure.

6.7. Establishment, Exercise, or Defense of Legal Claims

GIMAS is entitled to process personal data when it is necessary for the establishment, exercise, or defense of legal claims.

6.8. Legitimate Interests of the Data Controller

GIMAS may process personal data where it is necessary for its legitimate interests, provided that such interests do not override the fundamental rights and freedoms of the data subject. Legitimate interest shall never conflict with the principles of lawfulness, fairness, or purpose limitation, nor shall it compromise any constitutional rights.

7. CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

Under Article 9 and 10 of the General Data Protection Regulation (GDPR), the processing of special categories of personal data is generally prohibited unless specific conditions are met. GIMAS has identified and classified such data within its internal operations and ensures that all relevant processing activities comply with the legal bases set out under the GDPR.

Special categories of personal data include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric and genetic data, data concerning health or sex life, and data relating to criminal convictions and offenses.

7.1. Processing Based on Explicit Consent

As a rule, GIMAS does not process special categories of personal data unless the data subject has given explicit consent for one or more specified purposes. Where required, GIMAS will obtain the data subject’s explicit and informed consent prior to initiating processing. Any processing will remain strictly within the scope of the granted consent. Exceptions to this rule, as permitted under GDPR, remain reserved.

7.2. Processing Without Consent When Permitted by Law

In cases where EU or Member State law permits the processing of special categories of personal data without the data subject’s consent excluding data concerning health or sex life GIMAS may proceed with such processing strictly within the boundaries of the relevant legal provision.

7.3. Processing of Health and Sex Life Data for Medical or Public Interest Purposes

GIMAS may process special categories of personal data relating to a data subject’s health or sex life without explicit consent only where the processing is necessary for:

•    preventive or occupational medicine,
•    medical diagnosis,
•    provision of health or social care or treatment,
•    or the management of health or social care systems and services,
and only if such processing is carried out by a professional subject to the obligation of professional secrecy (e.g., healthcare professionals).

7.4. Safeguards for Processing Special Categories of Personal Data

GIMAS implements appropriate technical and organizational measures to safeguard special categories of personal data in line with Article 32 of the GDPR and relevant supervisory authority guidance. The company’s Data Protection Team is responsible for ensuring that such measures are applied consistently across all internal processes involving special category data and for keeping up to date with evolving security standards.

8. TRANSFER OF PERSONAL DATA

Under the General Data Protection Regulation (GDPR), the transfer of personal data to third parties either within the European Economic Area (EEA) or internationally must comply with specific legal requirements. GIMAS ensures that all data transfer activities are carried out lawfully, transparently, and with appropriate safeguards in place.

8.1. Transfers Within the EEA

8.1.1. Based on the Data Subject’s Explicit Consent

As a general rule, GIMAS will not transfer personal data to third parties without the explicit and informed consent of the data subject. The scope of the consent will be carefully documented, and data transfers will only be carried out in accordance with the data subject’s instructions.

8.1.2. Transfers Based on Other Legal Grounds (Without Consent)

Where consent is not obtained, personal data may still be transferred to third parties if one of the other lawful bases for processing applies (as defined in Section 6 of this Policy and Articles 6 and 9 of the GDPR). These include compliance with legal obligations, performance of a contract, protection of vital interests, or the establishment, exercise, or defense of legal claims.

8.1.3. Transfers of Special Category Data Without Consent

Special categories of personal data (excluding data related to health or sex life) may be transferred without consent only if such processing is expressly permitted by applicable laws. GIMAS ensures that these conditions are verified and met prior to any transfer. Additionally, all necessary technical and organizational measures for the protection of special category data must be implemented by both GIMAS and the receiving party. The Data Protection Representative is responsible for ensuring proper coordination, risk assessment, and documentation of these transfers.

8.2. Transfers to Third Countries (Outside the EEA)

8.2.1. Transfers Based on Explicit Consent

Where personal data is transferred to recipients outside the EEA, GIMAS will first obtain the explicit consent of the data subject for such transfers, unless another legal basis applies. The scope of consent, identity of the recipient, and nature of the data being transferred will be clearly documented.

8.2.2. Transfers Without Consent Based on Adequacy or Appropriate Safeguards

Even in the absence of consent, international data transfers may take place if:

•    The recipient country has been recognized by the European Commission as providing an adequate level of data protection (Adequacy Decision),
•    Or appropriate safeguards (such as Standard Contractual Clauses, Binding Corporate Rules, or other legal instruments) have been put in place by the recipient.

Before any data transfer outside the EEA, GIMAS will assess whether the recipient country offers adequate data protection and, if not, will implement one of the recognized safeguards and ensure that the recipient provides sufficient contractual guarantees. These requirements shall be monitored and documented by the Data Protection Representative in coordination with the relevant departments.
In exceptional cases where neither adequacy decisions nor appropriate safeguards are available, GIMAS will rely on one of the specific derogations outlined in Article 49 of the GDPR, such as the necessity of the transfer for contract performance, or the protection of vital interests.

9. ERASURE, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Even if personal data has been processed lawfully in accordance with this Policy and applicable legislation, GIMAS shall delete, destroy, or anonymize personal data when:

•    The purpose for processing has ceased to exist, or
•    The data subject exercises their right to erasure (right to be forgotten) under GDPR Article 17.
GIMAS will establish the necessary technical and administrative infrastructure to ensure compliance with relevant legal provisions and to execute erasure, destruction, or anonymization procedures securely and effectively.

10. OBLIGATIONS OF THE COMPANY AS DATA CONTROLLER

10.1. Duty to Inform (Transparency Obligation)

In line with GDPR Article 13, GIMAS is obliged to inform data subjects at the time of data collection, including the following information:

•    The identity and contact details of the data controller and, where applicable, the data protection officer,
•    The purposes and legal basis for processing,
•    The recipients or categories of recipients of the data,
•    The methods of data collection and lawful basis,
•    The data subject’s rights under GDPR.

To ensure this obligation is met, GIMAS has reviewed all data collection processes, created a data inventory, and implemented mechanisms and communication channels that allow data subjects to exercise their rights effectively.

10.2. Obligation to Ensure the Security of Personal Data

10.2.1. Preventing Unlawful Processing

GIMAS is committed to preventing unlawful processing of personal data. It has implemented technical and organizational measures to ensure that all data processing activities comply with the GDPR.

•    Internal systems are in place to detect and prevent unauthorized processing,
•    Personnel responsible for monitoring and compliance have been designated,
•    Systems are regularly reviewed and updated in response to legal and technical developments.

10.2.1.2. Technical Measures to Ensure Lawful Processing

•    All data processing activities are mapped, and a Data Inventory is maintained,
•    Administrative structures and IT systems for tracking and controlling data from collection to destruction have been established,
•    The Data Protection Team is responsible for execution, while the Data Protection Representative oversees coordination and audits.

10.2.2. Organizational Measures to Ensure Lawful Processing

•    All employees receive training on data protection and this Policy,
•    Internal documents and employment agreements include clauses on the lawful handling and confidentiality of personal data, which continue beyond the termination of employment,
•    Access to personal data is restricted based on the data processing purpose and granted only to relevant personnel,
•    Updates to policies and procedures are communicated promptly to all staff and are binding once published.

10.2.3. Preventing Unauthorized Access to Personal Data

10.2.3.1. Technical Safeguards

•    GIMAS uses up-to-date cybersecurity tools, including anti-virus software, firewalls, and intrusion detection systems,
•    Periodic penetration testing and vulnerability assessments are conducted,
•    Access to data systems is restricted using role-based access controls and device-level security,
•    Backup systems are secured using the same standards as primary systems, and third parties handling backups are contractually bound to GDPR compliance.

10.2.3.2. Administrative Safeguards

•    Employees are trained regularly to prevent unauthorized access,
•    Access to personal data is limited based on job role and processing necessity,
•    All contractual documents contain obligations related to confidentiality and compliance with GDPR,
•    Performance metrics are used to monitor compliance with data access protocols.

10.2.4. Monitoring and Auditing Data Security Measures

GIMAS has established internal audit mechanisms to monitor the effectiveness of all technical and administrative data protection measures. The Data Protection Representative receives regular reports and ensures continuous improvement of security protocols.
Additionally:

•    Business units, partners, and suppliers are subject to regular awareness activities and audits,
•    Third parties receiving personal data must agree contractually to comply with data protection obligations and grant GIMAS audit rights,
•    All employees are made aware of their responsibilities concerning third-party data transfers and security risks.

11. RIGHTS OF THE DATA SUBJECT

In accordance with Articles 12–23 of the General Data Protection Regulation (GDPR), data subjects have the right to request from GIMAS, as the Data Controller, the following:

•    To confirm whether their personal data is being processed and, if so, to obtain access to such data,
•    To be informed about the purposes of processing and whether data is being used in accordance with those purposes,
•    To be informed about the recipients or categories of recipients to whom the personal data has been or will be disclosed,
•    To request the rectification of inaccurate or incomplete personal data,
•    To request the erasure of personal data (right to be forgotten), under the conditions set forth in Article 17 of the GDPR,
•    To request the restriction of processing under certain conditions,
•    To object to the processing of their personal data where it is based on legitimate interests or for direct marketing purposes,
•    Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects them,
•    To receive their personal data in a structured, commonly used, and machine-readable format (data portability), where applicable,
•    To lodge a complaint with a supervisory authority if they believe their rights under the GDPR have been violated.

Requests related to the rights above must be submitted to GIMAS in writing or via other methods authorized under applicable data protection laws. GIMAS shall respond to such requests without undue delay and no later than one month from the date of receipt. If the request is complex or involves multiple issues, this period may be extended by a further two months, in which case the data subject shall be informed.

Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, GIMAS may charge a reasonable fee or refuse to act on the request. If the request results from an error attributable to GIMAS, no fee shall be charged.
All responses to requests shall be provided in a clear, concise, and intelligible manner. GIMAS may reject a request by providing justification. In such cases, the data subject shall be informed of their right to lodge a complaint with the supervisory authority within 30 days.