PERSONAL DATA PROTECTION POLICY

PROTECTION OF PERSONAL DATA LIGHTING TEXT



1. Legal Basis: As regulated in Article 20 of the Constitution; this right, that everyone has the right to demand the protection of their personal data; In accordance with the Law No. 6698 on the Protection of Personal Data, on the basis of the basic legal basis that personal data can be processed only in cases stipulated by the law or with the explicit consent of the person. We attach utmost importance to the protection and processing of Personal Data in accordance with the law, and we act with this care in all our planning and activities. As a company,

2. Purpose: With the Law No. 6698 on the Protection of Personal Data in force, the protection of fundamental rights and freedoms of individuals, in particular the privacy of private life, and the obligations of natural and legal persons who process personal data, as well as the procedures and principles to be complied with, are regulated. The aim of our policy, which was prepared by taking into account the regulation in question; Ensuring compliance with the obligations on the protection of personal data, processing, transferring and protecting the confidentiality of the information provided within the scope of the activities carried out by our Company, evaluating with a risk-based approach, determining the strategies, internal controls and measures, operating rules and responsibilities, and raising awareness of the employees of the institution on these issues. At the same time;

3. Scope: This policy; It concerns all personal data of our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically, provided that they are part of any data recording system. .

4. Definitions

1. Explicit Consent Consent based on information on a particular subject and expressed freely.
2. Anonymization It is the change of personal data in such a way that it loses its ability to be associated with an identified or identifiable person and this situation cannot be undone. Example: Masking, aggregation, data corruption etc. making personal data incapable of being associated with a natural person, by means of techniques.
3. Persons working in the Company pursuant to the employment contract concluded with the
Employee Company 4. Employee Candidate Natural persons who have either applied for a job in the Company by any means or have opened their CV and related information to the Company's inspection
5. Employees, Shareholders and Authorities of the Institutions We Collaborate With, natural persons, including the shareholders and officials of these institutions, working in the institutions (such as but not limited to business partners, suppliers) with which the company has any business relationship
6. Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data fully or partially by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.
7. Personal Data Owner The natural person whose personal data is processed. E.g; Customers and employees.
8. Personal Data Any information relating to an identified or identifiable natural person. Processing of information regarding legal persons is not within the scope of the law. E.g; name-surname, TR, e-mail, address, date of birth, credit card number etc.
9. Real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Customer Company.
10. Special Quality Personal Data: Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data is data of special nature.
11. Lead product and has requested or interested in using our services or real persons evaluated according to commercial usage, and integrity rules may have to be interested in this
12 Company Shareholders: The Company's shareholders of natural persons
13. Company Contact: Company's board members and other authorized natural persons
14. Third-party real persons (e.g. Family Members and relatives) who are related to these persons in order to ensure the security of commercial transactions between the Third Party Company and the above-mentioned parties or to protect the rights of the said persons and to obtain benefits.
15. Data Processor Based on the authority given by the Data Controller is the natural or legal person who processes personal data on his behalf. For example, the firm or companies that hold the Company's data, etc.
16. Data Controller The person who determines the purposes and means of processing personal data, manages the place where the data is kept systematically (data recording system), provides the data owner with the necessary information about his personal information as a result of the request / application of the data owner, and makes the referrals.
17. Visitor Real persons who have entered the physical campuses owned by the Company for various purposes or visited our websites

5. Abbreviations
1. KVKK: Law No. 6698 Personal Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette dated April 7, 2016 and numbered 29677 Data Protection Law.
2. Constitution: Published in the Official Gazette dated 9 November 1982 and numbered 17863; The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709.
3. KVK Board Personal Data Protection Board
4. KVK Institution Personal Data Protection Agency
5. Policy Company Personal Data Protection and Processing Policy
6. TBK published in the Official Gazette dated February 4, 2011 and numbered 27836; Turkish Code of Obligations dated 11 January 2011 and numbered 6098.
7. TCK published in the Official Gazette dated October 12, 2004 and numbered 25611; Turkish Penal Code dated 26 September 2004 and numbered 5237.
8. TCC, published in the Official Gazette dated February 14, 2011 and numbered 27846, Turkish Commercial Code dated January 13, 2011 and numbered 6102
6. Data Categories: The Company may record, process or transfer data regarding the following data categories.
1. Identity (name, surname, mother and father's name, date of birth, place of birth, marital status, identity card serial no, tc identity no)
2. Contact (address no, e-mail address, contact address, registered e-mail address) (KEP), phone number)
3. Location (location information of the location)
4. Personnel (payroll information, disciplinary investigation, entry-exit document records, CV information, performance evaluation reports)
5. Legal Action (information in correspondence with judicial authorities, information in the case file)
6. Customer Transaction (invoice)
7. Physical Space Security (enter and exit registration information of employees and visitors, camera records)
8. Transaction Security (IP address information, website login and exit information, password and password information, mac address, user information)
9. Risk Management: (Commercial, Technical, Administrative risks information processed for management)
10. Finance (required information for personnel and supplier payment, bank account number, Credit and risk information)
11. Professional Experience (diploma information, courses attended, training information, certificates, transcript information)
12. Marketing: (Shopping history information) , Survey, Cookie records, Information obtained through the campaign work)
13. Audio and Visual Recordings
14. Religious Information (information on religious affiliation if it is in old-style identity cards)
15. Dress and Dress: Information on clothing
16. Association Membership ( association membership information)
17. Foundation Membership (foundation membership information)
18. Union Membership: Union membership information
19. Health Information (information about disability, blood type information, personal health information, device and prosthesis used)
20. Criminal Conviction and Security Measures (penalty) information on convictions, information on safety measures)
8. purpose of personal data Processing Company may record personal data by the following objectives, process, or transmit.
0. Execution of Emergency Management Processes
1. Execution of Information Security Processes
2. Execution of Employee Candidate / Intern / Student Selection and Placement Processes
3. Execution of Employee Candidates' Application Processes
4. Execution of Employee Satisfaction and Loyalty Processes
5. Fulfillment of Employee Contract and Legal Obligations
6. Execution of Benefits and Benefits Processes for Employees
7. Execution of Audit / Ethical Activities
8. Execution of Training Activities
9. Execution of Access Authorizations
10. Execution of Activities in Compliance with the Legislation
11. Execution of Finance and Accounting Affairs
12. Ensuring Physical Space Security
13. Execution of Assignment Processes
14. Following and Executing Legal Affairs
15. Execution of Internal Audit / Investigation / Intelligence Activities
16. Execution of Communication Activities
17. Planning of Human Resources Processes
18. Business Activities Execution / Supervision
19. Execution of Occupational Health / Safety Activities
20. Receiving and Evaluating Suggestions for Improvement of Business Processes
21. Execution of Business Continuity Activities
22. Execution of Logistics Activities
23. Execution of Goods / Services Procurement Processes
24. Execution of Goods / Service Sales Processes
25. Execution of Goods / Service Production and Operation Processes
26. Organization and Event Management
27. Performance Evaluation Processes Execution
28. Execution of Risk Management Processes
29. Execution of Storage and Archive Activities
30. Execution of Social Responsibility and Civil Society Activities
31. Execution of Contract Processes
32. Execution of Sponsorship Activities
33. Execution of Strategic Planning Activities
34. Follow-up of Requests / Complaints
35. Ensuring the Security of Movable Goods and Resources
36. Execution of Supply Chain Management Processes
37. Execution of Compensation Policy
38. Ensuring the Security of Data Controller Operations
39 Foreign Personnel Work and Residence Permit Transactions
40. Execution of Investment Processes
41. Carrying out Talent / Career Development Activities
42. Providing Information to Authorized Persons, Institutions and Organizations
43. Executing Management Activities
44. Creating and Tracking Visitor Records
9. Personal Data Transfer Recipient Groups The Company may transfer personal data to the following Personal Data Transfer Recipient groups.
0. Real Persons and Private Law Entities
1. Shareholders
2. Business Partner
3. Supplier
4. Community Company
5. Authorized Public Institutions and Organizations
10. Persons Subject to Personal Data - The Company may record, process or transfer personal data according to the following types of persons.
0. Employee Candidate
1. Employee
2. Shareholder/Partner
3. Intern
4. Supplier Employee
5. Supplier Official
6. Visitor

11. Personal Data Retention Periods: Personal data retention periods are regulated in detail in the Personal Data Retention and Disposal policy.

12. Deletion, Destruction or Anonymization of Personal Data:
0. Despite the fact that the personal data has been processed in accordance with the law, in the event that the reasons for the processing disappear, these data are deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject.
1. The data controller deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.
2. The actions to be taken regarding these matters are explained in detail in the Personal data retention and destruction policy.

13. Transfer of Personal Data Personal data obtained for processing within the framework of the general principles specified in the Law may be transferred to third parties by obtaining the explicit consent of the person concerned.
0. Domestic transfer: Details regarding the domestic transfer of personal data and personal data of special nature are regulated in the Personal Data Transfer procedure.
1. Transfer abroad: Personal data can be transferred to countries where adequate protection exists, provided that the explicit consent of the person concerned is present, in case of the existence of the conditions specified in the Law. Data transfer to countries where there is not sufficient protection can be carried out in the presence of the conditions specified in the Law, in addition to the express consent, in addition to the written commitment of adequate protection and the permission of the Board. Details on the subject are regulated in the Procedure for Transfer of Personal Data.

14. General (Basic) Principles in the Processing of Personal Data: Personal data will be processed in accordance with the following basic principles as detailed in the personal data processing procedure.
0. Compliance with the law and the rules of honesty,
1. Being accurate and up-to-date when necessary,
2.
Processing for specific, clear and legitimate purposes, 3. Being connected, limited and proportional to the
purpose for which they are processed , 4. As stipulated in the relevant legislation or necessary for the purpose for which they are processed. to be preserved for a period of time.

15. Explicit Consent: Consent about a specific subject, based on information and expressed with free will. As detailed in the procedure for obtaining explicit consent, the explicit consent must be related to a specific subject, the consent must be based on information and be disclosed with free will.

16. Disclosure obligation: During the acquisition of personal data, the company informs the relevant persons. As detailed in the Clarification Procedure, this information includes at least the following subjects.
0. Identity of the data controller and its representative, if any,
1. For what purpose the personal data will be processed,
2. To whom and for what purpose the personal data can be transferred,
3. The method and legal reason for collecting personal data,
4. Other rights of the data subject listed in Article 11 of the Law.

17. Methods of claiming rights of the person concerned: By applying to the Company; To learn whether the personal data concerning them are processed, to request them if they have been processed, to correct them if the content of the data is incomplete or incorrect, to delete and destroy them if it is unlawful, to notify the third parties to whom the data is disclosed, and to inform the third parties about the actions to be taken accordingly, and to pay for the damages due to the illegal processing of the data. have the right to demand removal. The person concerned can exercise their right of appeal and complaint as specified in the Relevant Person's Claim Procedure.
0. Application: In order for the persons concerned to exercise their rights, they must first apply to the data controller. A complaint cannot be made to the Board before this remedy is exhausted.
1. Complaint: In order for the person concerned to apply for a complaint, the application to the Company must be rejected, the response given is insufficient, or the application must not have been answered within 30 days. It is not possible for the persons concerned to directly complain to the Board without applying to the Company.

18. Obligation to Fulfill Board Decisions: If the Board determines the existence of a violation as a result of the examination to be carried out on matters falling within its scope of duty, upon a complaint or ex officio if it learns about the alleged violation, it decides that the illegal violations will be eliminated by the Company and notifies the relevant parties of the decision. As detailed in the Execution of Board Decisions procedure, the Company fulfills this decision without delay and within thirty days at the latest as of the date of notification.

19. Data Controllers Registry (VERBIS) registration obligation: The Company registers and updates the data controllers' registration system, where they are required to register and where they declare information about data processing activities, as specified in the Data Controllers Registry (VERBIS) registration procedure.

20. Personal Data Violation: In case the processed personal data is obtained by others unlawfully, the Company notifies the relevant person and the Board as soon as possible as specified in the Personal Data Breach Procedure. If necessary, the Board may announce this situation on its own website or by any other method it deems appropriate.

21. Personal Data Security Measures: The Company takes the following technical and administrative measures in accordance with the Company's structure in order to prevent the unlawful processing of personal data, to prevent illegal access to personal data, and to ensure the protection of personal data.
0. Network security and application security are provided.
1. Closed system network is used for personal data transfer via network.
2. Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
3. There are disciplinary regulations that include data security provisions for employees.
4. Training and awareness activities are carried out periodically for employees on data security.
5. An authorization matrix has been created for the employees.
6. Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
7. Confidentiality commitments are made.
8. The authorizations of employees who have a change in duty or quit their job in this field are removed.
9. Up-to-date anti-virus systems are used.
10. Firewalls are used.
11. The signed contracts contain data security provisions.
12. Extra security measures are taken for personal data transferred via paper, and the relevant document is sent in confidential form.
13. Personal data security policies and procedures have been determined.
14. Personal data security issues are reported quickly.
15. Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
16. The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
17. The security of environments containing personal data is ensured.
18. Personal data is reduced as much as possible.
19. Personal data is backed up and the security of the backed up personal data is also ensured.
20. User account management and authorization control system is implemented and these are followed up.
21. In-house periodic and/or random audits are conducted and made.
22. Existing risks and threats have been identified.
23. Protocols and procedures for special quality personal data security have been determined and implemented.
24. If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using a KEP or corporate mail account.
25. Secure encryption / cryptographic keys are used for sensitive personal data and are managed by different units.
26. Cyber ​​security measures have been taken and their implementation is constantly monitored.
27. Data of special persons transferred in portable memory, CD, DVD media are transferred by encrypting them.
28. Data processing service providers are periodically audited on data security.
29. Awareness of data processing service providers on data security is ensured.

Data Controller Title: TOYOTETSU AUTOMOTIVE PARTS IND. and TRA. Inc.
Mersis No: 0859019537000018
E-mail Address: toyotetsu@toyotetsu.com.tr
Registered Electronic Mail Address: toyotetsu@hs01.kep.tr
Physical Mail Address: TOSB Automotive Sub-Industry Specialized Organized Industrial Zone 5th Street No:4 41420
Sekerpinar, Cayirova - KOCAELI / TURKEY