DP Policy

1. INTRODUCTION

Data protection has always been a crucial matter for Centurion. Centurion keeps personal data which are obtained from natural persons for activities of Company confidential; takes any necessary technical and organisational measures for data protection; and never shares personal data with third persons unlawfully. Even before 7th April 2016 on which Data Protection Law came into force in Turkey, Centurion has adopted and applied data confidentiality as a fundamental work principle.

In order to comply with Turkish Constitution, Data Protection Law and other related legislation in all activities, the Company adopts all principles stated in Data Protection Law and fulfils its legal obligations regarding data processing, data destruction, informing data subjects, and providing data security. This Data Protection Policy which is prepared in this scope, is made accessible for all natural persons whose personal data are processed by the Company.

1.1. DEFINITIONS

“Explicit consent”

Freely given, specific and informed consent

“Employee”

Any natural person who has an employer-employee relationship with Centurion Ilac Sanayi Ve Ticaret Anonim Sirketi or its group companies based on an employment or service contract

“Data Protection Law”

Turkish Personal Data Protection Law no. 6698

“Personal data”

Any information relating to an identified or identifiable natural person

“Anonymization of personal data”

Rendering personal data by no means identified or identifiable with a natural person even by linking with other data

“Data processing”

Any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system

“Deletion of personal data”

Making personal data inaccessible and unfit for the re-use for relevant users

“Destruction of personal data”

Making personal data refers to personal data inaccessible, un-restorable and unfit for re-use for anyone;

“Board”

The Board of Protection of Personal Data

“Authority”

The Authority of Protection of Personal Data

“Special categories of personal data”

Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics

“Policy”

Centurion Ilac Sanayi Ve Ticaret Anonim Sirketi

Centurion” or “Company

Centurion Ilac Sanayi Ve Ticaret Anonim Sirketi

Data processor

Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller

Data controller

Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.

1.2. PURPOSE AND SCOPE OF POLICY
This Policy explains the topics regarding personal data collection, usage, transfer, destruction and processing of data in other ways by Centurion; rights of data subjects; and organisational and technical measures taken by Company for protection of personal data. This Policy is applied to personal data of following data subject categories:

Personal data obtained from data subject based on his/her explicit consent or other legal grounds stated in Data Protection Law are processed by Centurion for fulfilment of legal obligations, providing services properly, improving the quality of services, enhancing quality policies and other purposes stated in this Policy.

2. DATA PROCESSING

2.1. DATA PROCESSING PRINCIPLES

Centurion complies with following data processing principles stated in article 4 of Data Protection Law.

Centurion examines the source of personal data which are obtained from either data subject or third parties and gives importance to process these data in a fair and lawful way. In this frame, the Company, for the protection of personal data, makes necessary notices to the parties to whom personal data are transferred.

Centurion gives importance to ensure all personal data it holds to be accurate and not containing any wrong information. In case of change in personal data, Centurion makes necessary updates pursuant to notifications it received in this regard. The Company shows reasonable care and attention regarding accuracy and up-to-dateness of personal data which its customers and/or third persons provides.

Centurion identifies Company’s legitimate and lawful data processing purposes explicitly before data processing activity is started. Personal data are processed only for these pre-determined purposes.

Centurion performs data processing activities only for processing purposes. Unrelated and unnecessary personal data are not processed by the Company.

Centurion stores personal data only for the period designated by relevant legislation or necessitated by the purpose for which data are collected. At the end of determined retention periods, personal data are deleted, destroyed or anonymized.

These data processing principles are applied regardless of legal ground (explicit consent or others) which processing activity is based on. Centurion complies with general principles, data processing grounds and informs data subjects in accordance with law.

2.2. LEGAL GROUNDS OF PROCESSING PERSONAL DATA

Centurion processes personal data based on explicit consent or other legal grounds stated as follows:

According to Data Protection Law; data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data.

Centurion takes additional measures designated by the Data Protection Law and Board when special categories of personal data are processed.

Special categories of personal data are processed by the Company in compliance with article 6 of Data Protection Law and Regulation on Protection of Personal Heath Data which is published in the Official Gazette on October 20, 2016. Within this scope, special categories are processed based on the following grounds:

Rules and procedures regarding processing, destruction and protection of special categories of personal data explained in Centurion Ilac Sanayi Ve Ticaret Anonim Sirketi Protection and Processing of Special Categories of Personal Data Policy.

2.3. PURPOSES OF PROCESSING PERSONAL DATA

Centurion processes personal data based on legal grounds designated in articles 5 and 6 of Data Protection Law and for the following purposes.

In the scope of planning and operating human resources activities; Personal data of employee candidates are processed for the purposes of evaluating suitability for the job; and managing the recruitment processes; Personal data of employees are processed especially for the purposes of performance of employment contract, establishment of side benefits, managing of promotion/premium/wage increase processes, fulfilment of legal obligations of the Company arisen from Labour Law and other legislation, carrying out social insurance procedures, evaluating performances of employees.

In the scope of usual business activities and services provided to customers, the Company processes personal data to manage and operate processes of planning and operating activities of corporate sustainability; event management; management of relations with business partners and suppliers of the Company; financial reporting and risk management; legal transactions and judicial processes; corporate communication activities; corporate management activities; corporate law transactions; claim and complaint management; management of investor relations; providing security in facilities of the Company; recording and monitoring entrance and exits of visitors; determination and implementation of commercial and business strategies of the company; customer satisfaction, effectiveness of services; fulfilling legal demands of administrative and/or judicial bodies; legal processes and compliance; providing security of information technologies and preventing malicious usage.

Explicit consent of data subject is obtained by Centurion for the processing activities based on aforementioned purposes; unless one of other legal grounds designated in Data Protection Law is applicable.

2.4. METHODS OF PERSONAL DATA COLLECTION

Centurion collects personal data through various means and via different channels based on legal grounds stated in Data Protection Law and legal reasons explained in this Policy. In this scope, personal data may be collected physically, electronically, orally or in writing via contracts, legal notifications, email other communication channels. Main purpose of processing collected data, in general, is execution of contracts and providing more qualified services to related parties.

Personal data can be collected by Centurion in cases of usage of services provided by the Company; establishment of a legal relationship with the Company and communicating with the Company via email, mail or other means.

Centurion adopts fairness and lawfulness as a principle while collection personal data by business and solution partners. Where necessary, personal data are collected from these parties by signing data protection agreements and all necessary measures for data security are taken in this regard.

Centurion processes personal data of its employees based on their explicit consent or other legal grounds in compliance with data minimisation principle. The Company ensures confidentiality and protection of employees’ personal data.

3. TRANSFER OF PERSONAL DATA

Centurion transfers personal data to third parties only for the purposes stated in this Policy and in accordance with articles 8 and 9 of Data Protection Law. In this context, collected personal data shall be transferred to following parties by the Company:

Main purposes of data transfer are as follows: Benefiting from outsourced services, fulfilling legal obligations, performing contracts, managing purchase and sale transactions, preventing and determining illegal and/or fraudulent activities related to services, performing other commercial activities lawfully.

Centurion adopts lawfulness as a principle in data transfer activities. Personal data which is transferred to third parties are limited to what is necessary in relation to services. Maximum efforts are made to ensure that these 3rd parties take data security measures.

Personal data that are subject to transfer within country or abroad, are legally protected by data transfer agreements as well as technical data security measures.

The Company may transfer personal data to legally authorized public authorities and institutions in order to fulfil legal obligations. (In cases which the Company is legally obliged to give information including issues of fight against crime, threatens against state and public security etc.)

4. RETENTION AND DESTRUCTION OF PERSONAL DATA

In accordance with Data Protection Law, Centurion stores personal data only for the period designated by relevant legislation or necessitated by the purpose for which data are collected. Retention periods of each personal data category are determined separately. In compliance with The Regulation on Erasure, Destruction and Anonymization of Personal Data, at the end of determined retention periods Centurion deletes, destroys or anonymize related personal data at the following destruction cycle.

Deletion of data refers to make personal data inaccessible and unfit for the re-use for ‘relevant users’ ; Destruction of data refers to make personal data inaccessible, un-restorable and unfit for re-use for anyone; Anonymization of data means turning data into a form which cannot be associated with an identified or identifiable real person, even if it is restored and/or linked or coupled by other data.

In this context Centurion determined internal data destruction cycles and established Data Retetion and Destruction Policy. Centurion records all activities related to data destruction and keep these records at least for three years except for other legal obligations.

In case data subjects make a request for their personal data to be deleted or destroyed, Centurion;

5. TECHNICAL AND ORGANISATIONAL MEASURES

Centurion takes technical and organisational measures for lawful processing of personal data within the bounds of Company’s technical and financial possibilities. Such measures are applied for also special categories of personal data with additional ones designated by the Board. The Company conducts necessary internal audits periodically.

Centurion takes all necessary security measures to ensure that personal data are processed only for the purposes stated in this Policy; and to minimise the risks of malicious usage, unauthorized access, unauthorized transfer, destruction or change of personal data. These security measures include precautions on various topics such as transfer of personal data to third countries which do not have adequate level of protection.

Centurion respects data confidentiality. Personal data can only be accessed by authorized staff within the Company. In this regard, it is ensured that the Company’s software comply with standards, third party suppliers are selected carefully, and Data Protection Policy is implemented within the Company.

In this scope, Centurion takes following technical and organisational measures:

In case data are damaged or became accessible by unauthorized persons as a result of attacks to Company’s systems and/or to platforms operated by Centurion despite all data security measures taken, Centurion acts immediately to eliminate breach and minimise the damage. Centurion notifies the breach to data subjects and Board; and takes necessary measures in this regard.

6. RIGHTS OF DATA SUBJECTS

According to Turkish Constitution, everyone has the right to request the protection of his/her personal data. Rights of data subjects are stated in article 11 of Data Protection Law as follows:

Within this scope data subjects have the following rights;

Centurion shall respond to the requests free of charge, that will be made by the data subject regarding his/her right of access via methods stated under Communiqué on Procedures and Principles for Application to Data Controller within the shortest time possible depending on the content of the request and within thirty (30) days at the latest. However, if the access request requires additional cost, the price determined by the Personal Data Protection Board may be demanded.

Data subjects can make requests via written or registered e-mail address (KEP), a secure electronic signature, a mobile signature or an e-mail which is stated by data subjects or registered in the system of data controller before the transaction. Data subjects must include following information to their application:

Requests shall not be assessed unless they are in Turkish. In order third parties to make applications on behalf of data subject notarial power of attorney must be submitted.

7. CHANGES TO THIS POLICY

Centurion reserves the right to change this Policy at any time. Changes shall be valid from the date of publication. If necessary, data subjects will be informed of changes.