Data protection has always been a crucial matter for Centurion. Centurion keeps personal data which are obtained from natural persons for activities of Company confidential; takes any necessary technical and organisational measures for data protection; and never shares personal data with third persons unlawfully. Even before 7th April 2016 on which Data Protection Law came into force in Turkey, Centurion has adopted and applied data confidentiality as a fundamental work principle.
In order to comply with Turkish Constitution, Data Protection Law and other related legislation in all activities, the Company adopts all principles stated in Data Protection Law and fulfils its legal obligations regarding data processing, data destruction, informing data subjects, and providing data security. This Data Protection Policy which is prepared in this scope, is made accessible for all natural persons whose personal data are processed by the Company.
Freely given, specific and informed consent
Any natural person who has an employer-employee relationship with Centurion Ilac Sanayi Ve Ticaret Anonim Sirketi or its group companies based on an employment or service contract
“Data Protection Law”
Turkish Personal Data Protection Law no. 6698
Any information relating to an identified or identifiable natural person
“Anonymization of personal data”
Rendering personal data by no means identified or identifiable with a natural person even by linking with other data
Any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system
“Deletion of personal data”
Making personal data inaccessible and unfit for the re-use for relevant users
“Destruction of personal data”
Making personal data refers to personal data inaccessible, un-restorable and unfit for re-use for anyone;
The Board of Protection of Personal Data
The Authority of Protection of Personal Data
“Special categories of personal data”
Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics
Centurion Ilac Sanayi Ve Ticaret Anonim Sirketi
“Centurion” or “Company”
Centurion Ilac Sanayi Ve Ticaret Anonim Sirketi
Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller
Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.
1.2. PURPOSE AND SCOPE OF POLICY
This Policy explains the topics regarding personal data collection, usage, transfer, destruction and processing of data in other ways by Centurion; rights of data subjects; and organisational and technical measures taken by Company for protection of personal data. This Policy is applied to personal data of following data subject categories:
- Employee candidates,
- Shareholders of the Company,
- Executives of the Company,
- Employees of legal entities that are in cooperation with the Company,
- Any person who accesses any kind of services and applications provided by the Company,
- Third persons.
Personal data obtained from data subject based on his/her explicit consent or other legal grounds stated in Data Protection Law are processed by Centurion for fulfilment of legal obligations, providing services properly, improving the quality of services, enhancing quality policies and other purposes stated in this Policy.
2. DATA PROCESSING
2.1. DATA PROCESSING PRINCIPLES
Centurion complies with following data processing principles stated in article 4 of Data Protection Law.
- • Fairness and Lawfulness
Centurion examines the source of personal data which are obtained from either data subject or third parties and gives importance to process these data in a fair and lawful way. In this frame, the Company, for the protection of personal data, makes necessary notices to the parties to whom personal data are transferred.
- • Accurate and Where Necessary Up to Date
Centurion gives importance to ensure all personal data it holds to be accurate and not containing any wrong information. In case of change in personal data, Centurion makes necessary updates pursuant to notifications it received in this regard. The Company shows reasonable care and attention regarding accuracy and up-to-dateness of personal data which its customers and/or third persons provides.
- • Purpose Limitation (Processing only for specified, explicit and legitimate purposes)
Centurion identifies Company’s legitimate and lawful data processing purposes explicitly before data processing activity is started. Personal data are processed only for these pre-determined purposes.
- • Data Minimisation (Adequate, relevant and limited to what is necessary in relation to the processing purposes)
Centurion performs data processing activities only for processing purposes. Unrelated and unnecessary personal data are not processed by the Company.
- • Storage Limitation (Not keeping personal data longer than is necessary for the purposes for which the personal data is processed)
Centurion stores personal data only for the period designated by relevant legislation or necessitated by the purpose for which data are collected. At the end of determined retention periods, personal data are deleted, destroyed or anonymized.
These data processing principles are applied regardless of legal ground (explicit consent or others) which processing activity is based on. Centurion complies with general principles, data processing grounds and informs data subjects in accordance with law.
2.2. LEGAL GROUNDS OF PROCESSING PERSONAL DATA
Centurion processes personal data based on explicit consent or other legal grounds stated as follows:
- • It is expressly permitted by any law;
- • It is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
- • It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract;
- • It is necessary for compliance with a legal obligation which the controller is subject to;
- • The relevant information is revealed to the public by the data subject herself/himself;
- • It is necessary for the institution, usage, or protection of a right;
- • It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
According to Data Protection Law; data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data.
Centurion takes additional measures designated by the Data Protection Law and Board when special categories of personal data are processed.
Special categories of personal data are processed by the Company in compliance with article 6 of Data Protection Law and Regulation on Protection of Personal Heath Data which is published in the Official Gazette on October 20, 2016. Within this scope, special categories are processed based on the following grounds:
- • Explicit consent of data subject.
- • Processing of special categories of personal data other than those relating to health and sexual life is permitted by any law.
- • Processing of data relating to health and sexual life for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.
Rules and procedures regarding processing, destruction and protection of special categories of personal data explained in Centurion Ilac Sanayi Ve Ticaret Anonim Sirketi Protection and Processing of Special Categories of Personal Data Policy.
2.3. PURPOSES OF PROCESSING PERSONAL DATA
Centurion processes personal data based on legal grounds designated in articles 5 and 6 of Data Protection Law and for the following purposes.
In the scope of planning and operating human resources activities; Personal data of employee candidates are processed for the purposes of evaluating suitability for the job; and managing the recruitment processes; Personal data of employees are processed especially for the purposes of performance of employment contract, establishment of side benefits, managing of promotion/premium/wage increase processes, fulfilment of legal obligations of the Company arisen from Labour Law and other legislation, carrying out social insurance procedures, evaluating performances of employees.
In the scope of usual business activities and services provided to customers, the Company processes personal data to manage and operate processes of planning and operating activities of corporate sustainability; event management; management of relations with business partners and suppliers of the Company; financial reporting and risk management; legal transactions and judicial processes; corporate communication activities; corporate management activities; corporate law transactions; claim and complaint management; management of investor relations; providing security in facilities of the Company; recording and monitoring entrance and exits of visitors; determination and implementation of commercial and business strategies of the company; customer satisfaction, effectiveness of services; fulfilling legal demands of administrative and/or judicial bodies; legal processes and compliance; providing security of information technologies and preventing malicious usage.
Explicit consent of data subject is obtained by Centurion for the processing activities based on aforementioned purposes; unless one of other legal grounds designated in Data Protection Law is applicable.
2.4. METHODS OF PERSONAL DATA COLLECTION
Centurion collects personal data through various means and via different channels based on legal grounds stated in Data Protection Law and legal reasons explained in this Policy. In this scope, personal data may be collected physically, electronically, orally or in writing via contracts, legal notifications, email other communication channels. Main purpose of processing collected data, in general, is execution of contracts and providing more qualified services to related parties.
Personal data can be collected by Centurion in cases of usage of services provided by the Company; establishment of a legal relationship with the Company and communicating with the Company via email, mail or other means.
Centurion adopts fairness and lawfulness as a principle while collection personal data by business and solution partners. Where necessary, personal data are collected from these parties by signing data protection agreements and all necessary measures for data security are taken in this regard.
Centurion processes personal data of its employees based on their explicit consent or other legal grounds in compliance with data minimisation principle. The Company ensures confidentiality and protection of employees’ personal data.
3. TRANSFER OF PERSONAL DATA
Centurion transfers personal data to third parties only for the purposes stated in this Policy and in accordance with articles 8 and 9 of Data Protection Law. In this context, collected personal data shall be transferred to following parties by the Company:
- Business partners
- Suppliers of the Company
- Customers of the Company
- To legally authorized public authorities upon request
- To solution partners of the Company
Main purposes of data transfer are as follows: Benefiting from outsourced services, fulfilling legal obligations, performing contracts, managing purchase and sale transactions, preventing and determining illegal and/or fraudulent activities related to services, performing other commercial activities lawfully.
Centurion adopts lawfulness as a principle in data transfer activities. Personal data which is transferred to third parties are limited to what is necessary in relation to services. Maximum efforts are made to ensure that these 3rd parties take data security measures.
Personal data that are subject to transfer within country or abroad, are legally protected by data transfer agreements as well as technical data security measures.
The Company may transfer personal data to legally authorized public authorities and institutions in order to fulfil legal obligations. (In cases which the Company is legally obliged to give information including issues of fight against crime, threatens against state and public security etc.)
4. RETENTION AND DESTRUCTION OF PERSONAL DATA
In accordance with Data Protection Law, Centurion stores personal data only for the period designated by relevant legislation or necessitated by the purpose for which data are collected. Retention periods of each personal data category are determined separately. In compliance with The Regulation on Erasure, Destruction and Anonymization of Personal Data, at the end of determined retention periods Centurion deletes, destroys or anonymize related personal data at the following destruction cycle.
Deletion of data refers to make personal data inaccessible and unfit for the re-use for ‘relevant users’ ; Destruction of data refers to make personal data inaccessible, un-restorable and unfit for re-use for anyone; Anonymization of data means turning data into a form which cannot be associated with an identified or identifiable real person, even if it is restored and/or linked or coupled by other data.
In this context Centurion determined internal data destruction cycles and established Data Retetion and Destruction Policy. Centurion records all activities related to data destruction and keep these records at least for three years except for other legal obligations.
In case data subjects make a request for their personal data to be deleted or destroyed, Centurion;
- Deletes, destroys or anonymize the data if none of legal grounds for data processing is applicable. Request of data subject is concluded within 30 days; and data subject is informed.
- If none of legal grounds for data processing is applicable and personal data subject to the request were transferred to third persons; Centurion inform these third persons of necessity of data destruction and ensures necessary operations to be conducted by these third persons as well.
- If one or more legal grounds for data processing is still applicable, Centurion rejects the request by explaining the reasons in accordance with article 13 of Data Protection Law. Reasons of rejection are notified to data subject within 30 days in writing or electronically.
5. TECHNICAL AND ORGANISATIONAL MEASURES
Centurion takes technical and organisational measures for lawful processing of personal data within the bounds of Company’s technical and financial possibilities. Such measures are applied for also special categories of personal data with additional ones designated by the Board. The Company conducts necessary internal audits periodically.
Centurion takes all necessary security measures to ensure that personal data are processed only for the purposes stated in this Policy; and to minimise the risks of malicious usage, unauthorized access, unauthorized transfer, destruction or change of personal data. These security measures include precautions on various topics such as transfer of personal data to third countries which do not have adequate level of protection.
Centurion respects data confidentiality. Personal data can only be accessed by authorized staff within the Company. In this regard, it is ensured that the Company’s software comply with standards, third party suppliers are selected carefully, and Data Protection Policy is implemented within the Company.
In this scope, Centurion takes following technical and organisational measures:
- Data protection training programs and awareness-raising activities are organized for employees regularly.
- The Company prepares internal data protection policies based on personal data processing inventory and builds necessary processes for the implementation of prepared policies.
- The Company determines risks regarding data protection and performs necessary activities to eliminate/minimize these risks. For this purpose, active channels to send information notices and to obtain explicit consent are created.
- Internal data protection audits are conducted periodically.
- The Company benefits from consistent legal consultancy services to comply with updated legislations.
- For the protection of special categories of personal data, a separate policy is prepared, and additional measures determined by the Board are taken.
- Data Transfer Agreements are executed for the management of relationships with data processors of the Company.
- Firewalls, SSL, antivirus software, secure databases and other generally accepted security standards are applied.
- Secure technical infrastructures are prepared to provide security in the databases in which personal data are stored.
- Procedures for reporting audit results and application of technical measures are determined.
- Related organisational measures are taken regarding data protection.
- Security measures are constantly updated and improved.
In case data are damaged or became accessible by unauthorized persons as a result of attacks to Company’s systems and/or to platforms operated by Centurion despite all data security measures taken, Centurion acts immediately to eliminate breach and minimise the damage. Centurion notifies the breach to data subjects and Board; and takes necessary measures in this regard.
6. RIGHTS OF DATA SUBJECTS
According to Turkish Constitution, everyone has the right to request the protection of his/her personal data. Rights of data subjects are stated in article 11 of Data Protection Law as follows:
Within this scope data subjects have the following rights;
- Learning if his/her personal data is processed;
- Requesting further information if his/her personal data have been processed;
- Learning the purpose of the processing personal data, and whether the data are being processed in compliance with such purpose or not;
- Learning the third-party recipients to whom the data are transferred within the country or abroad,
- Requesting rectification in case personal data are processed incompletely or inaccurately and request notification of third parties to whom personal data have been transferred,
- In case the reasons for which the personal data were processed are no longer valid, to request erasure or destruction of personal data or to request the transaction made in this regard to be notified to third parties whom the personal data have been transferred , although such personal data have been processed in accordance with the provisions stated under Data Protection Law or other relevant legislation,
- Objecting to negative consequences about him/her that are concluded upon analysis of the processed personal data by solely automatic means,
- Demanding compensation for the damages he/she has suffered because of an unlawful personal data processing.
Centurion shall respond to the requests free of charge, that will be made by the data subject regarding his/her right of access via methods stated under Communiqué on Procedures and Principles for Application to Data Controller within the shortest time possible depending on the content of the request and within thirty (30) days at the latest. However, if the access request requires additional cost, the price determined by the Personal Data Protection Board may be demanded.
Data subjects can make requests via written or registered e-mail address (KEP), a secure electronic signature, a mobile signature or an e-mail which is stated by data subjects or registered in the system of data controller before the transaction. Data subjects must include following information to their application:
- Name, surname and signature, if the application is made in writing.
- Turkish ID number (for Turkish citizens).
- Nationality, passport number or identity number, (for non-Turkish data subjects).
- Residential or work address for notification.
- E-mail address (if any), phone and fax number.
- Subject of the application.
Requests shall not be assessed unless they are in Turkish. In order third parties to make applications on behalf of data subject notarial power of attorney must be submitted.
7. CHANGES TO THIS POLICY
Centurion reserves the right to change this Policy at any time. Changes shall be valid from the date of publication. If necessary, data subjects will be informed of changes.