DATA PRIVACY COMMITMENT

1.1. Personal Data Protection Policy (”The Policy”), of Nuhdem Plastik Sanayi ve Ticaret A.Ş. (”The Company”) identifies procedures that must be followed by the company with the provisions of the legislation in fulfilling its obligations to protect personal data when processing personal data within the company taking in accordance law No. 6698 on the Protection of Personal Data. 
1.2. The Company undertakes to comply with this policy and the procedures that will be applied depending on the personal data contained within. 

2. PURPOSE OF POLICY 
It is to define the principles related to methods and processes for protecting personal data by the company. 

3. EXTENT OF POLICY 
3.1. It covers all activities related to the personal data that the company processes and applies to those activities. 
3.2. It does not apply to data that does not qualify as personal data. 
3.3. It may be changed from time to time with the approval of the general manager, if required by the KVK regulations, or if the company’s data officer is the contact person or the committee deems it necessary. If there is a mismatch between the KVK regulations and the policy, the KVK regulations are based. 

4. DEFINITIONS 
Definitions in policy include the following meanings; 
“Direct consent” refers to consent based on information about a particular subject and disclosed by free will. 
“Anonymization” means that personal data cannot in any way be associated with a specific or identifiable person, even by pairing it with other data. 
“Disclosure obligation” refers to the obligation of the data officer or authorized person to provide information to the relevant person in accordance with Article 10 of the KVKK during the acquisition of personal data. 
“Personal data “ refers to any information relating to a specific or identifiable person (the term” personal data “under the policy shall, to the extent appropriate, include the ”specially qualified personal data ” defined below). 
“The processing of personal data” refers to every action taken on the data such as personal data to be fully or partially automated, with the data recording system or any part of the record to be non-automatic in ways of obtaining, recording, storage, preservation, modification, rearrangement, disclosure, transfer, acquisition, classification or prevention of making the data available. 
“Committee” refers to the committee responsible for the implementation of KVK policies and procedures that will be applied depending on KVK policies. 
“Board ” refers to the board for the protection of personal data. 
“Institution” refers to the institution of Personal Data Protection. 
“KVKK” refers to the Personal Data Protection Law No. 6698. 
“KVK Arrangements” refers to regulations for the protection of personal data by the Personal Data Protection Law Number 6698 with other relevant legislation, binding decisions, policy decisions, provisions, conditions and any other applicable data protection legislation and/or international agreements issued by regulatory and supervisory authorities, courts and other official authorities. 
“KVK policies” refers to the policies adopted by the company on the protection of personal data. 
“KVK procedures ” refers to procedures that determine the obligations that the company, its employees, must comply with under the committee’s KVK policies. 
“Specially Qualified Personal Data” refers to the data containing people’s race, ethnic origin, political opinion, philosophical belief, religion and sect, or other beliefs, costume and dress, association or trade union membership, health, sexual life, criminal convictions and security measures, with biometric and genetic data. 
“Deletion or to destruction” means the irreversible destruction or deletion of personal data. 
“Data inventory” refers to inventroy containing personal data processing processes and methods for the company’s personal data processing activities, personal data processing purposes, data category, third parties where personal data is transferred, etc. . 
“Data processor ” refers to a natural or legal person who processes personal data on behalf of the Data Processor, taking the authority of the data controller. 
“Contact” means all individuals whose personal data is processed by or on behalf of the company. 
“Data officer” refers to a natural or legal person who processes personal data by specifying the purposes and ways of processing, who is responsible for establishing and managing a data recording system. 
“Data Officer Contact Person” refers to the person who conducts the company’s relations with the institution and is appointed by senior management. 

 

5. PRINCIPLES OF PERSONAL DATA PROCESSING 
5.1. Processing of personal data in compliance with law and integrity rules The Company processes personal data in accordance with the law and integrity rules and on a moderation basis. 
5.2. Taking necessary measures to ensure that personal data is accurate and up-to-date when necessary The Company takes all necessary measures to ensure that the personal data is complete, accurate and up-to-date and updates the personal data if the person concerned requests changes to the personal data in accordance with the KVKK regulations. 
5.3. Processing of personal data for specific, clear and legitimate purposes Before the processing of personal data, the company determines for what purpose the personal data will be processed. In this context, the Relevant Person is illuminated in accordance with the regulations of the KVK and, where necessary, their direct consent is obtained. 
5.4. Personal data being linked, limited and measured for the purpose for which they are processed only The company processes personal data only in exceptional circumstances under the KVK Regulations (Article 5.2 and Article 6.3 of the KVKK) or for the purpose of express consent obtained from the person concerned (Article 5.1 and Article 6.2 of the KVKK) and on a moderation basis. The data officer processes personal data in a manner conducive to the realization of the specified goals and avoids processing personal data that is not related to the realization of the goal or is not needed. 
5.5. Maintaining personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed 
5.5.1. The company maintains personal data for as long as necessary in accordance with the purpose. If the company wishes to maintain personal data for a period longer than the period stipulated in the KVK regulations or required by the purpose of processing personal data, the Company shall comply with the obligations specified in the KVK regulations. 
5.5.2. After the period required by the purpose of processing personal data has expired, personal data is deleted or anonymized. Third parties to which the company transfers personal data are also allowed to delete, destroy or anonymize personal data. 
5.5.3. The Data Officer Contact Person and Committee are responsible for the operation of the deletion, destruction and anonymization processes. In this context, the necessary procedure is created by the Data Officer Contact Person and the Committee. 

6. PROCESSING OF PERSONAL DATA 
Personal data may only be processed by the company in accordance with the following procedures and principles. 
6.1. Direct Consent 
6.1.1. Personal data is processed after information to be made within the framework of the fulfillment of the disclosure obligation to the Relevant Persons and if the relevant persons give direct consent. 
6.1.2. In accordance with the lighting obligation, the relevant persons are notified of their rights before the direct consent is obtained. 
6.1.3. The direct consent of the person concerned is obtained by methods in accordance with the regulations of the KVK. Express consent is evidently maintained by the company for the period required under the KVK regulations. 
6.1.4. The Data Officer Contact Person and the Committee are obliged to ensure that the disclosure obligation is fulfilled in respect of all Personal Data Processing processes and, where necessary, direct consent is obtained and the retention of direct consent is received. All department employees who process personal data are obliged to comply with the instructions of the Data Officer Contact Person and the Committee, The Policy and the procedures of the KVK. 
6.2. Processing Of Personal Data Without Direct Consent 
6.2.1 In cases where the processing of personal data is provided under the KVK Regulations (Article 5.2 of KVKK) without direct consent, the company may process personal data without direct consent of the person concerned. If personal data is processed in this way, the company processes personal data within the limits set out by the KVK regulations. In this context,: 
6.2.1.1. Personal data may be processed by the company without direct consent, if it is expressly provided and can be foreseen by law. 
6.2.1.2. Personal data may be processed by the company without direct consent if the person concerned is required to protect the life or body integrity of himself or someone other than the person concerned, whose consent cannot be disclosed due to actual impossibility or whose consent is not granted legal validity. 
6.2.1.3. Personal data may be processed by the company without the direct consent of the persons concerned if the processing of personal data belonging to the parties to the contract is necessary, provided that it is directly related to the establishment or performance of the contract. 
6.2.1.4. If the processing of personal data is necessary for the company to fulfill its legal obligation, personal data may be processed by the company without the express consent of the persons concerned. 
6.2.1.5. Personal data made public by the person concerned may be processed by the company without express consent. 
6.2.1.6. If the processing of personal data is mandatory for the establishment, use or protection of a right, personal data may be processed by the company without express consent. 
6.2.1.7. Personal data may be processed by the company without express consent if the processing of data is mandatory for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the person concerned. 

7.PROCESSING OF SPECIALLY QUALIFIED PERSONAL DATA 
7.1. Personal data of special quality may only be processed if the direct consent of the person concerned exists or if processing is required by law in respect of personal data of special quality other than sexual life and personal health data. 
7.2. Personal data in relation to health and sexual life, however, Public Health Protection, preventive medicine, medical diagnosis, treatment and care in the execution of services, for the purposes of the planning and management of Health Services Financing, persons under confidentiality obligation (i.e.: Company physician or by the authorized institutions without obtaining direct consent can be processed. 
7.3. When processing personal data of special quality, measures determined by the Board are taken. 
7.4. The company is aimed at employees involved in the processing of personal data with special qualifications, 
7.4.1 KVK will conduct regular trainings on the security of personal data with special qualifications. 
7.4.2 Will make confidentiality agreements. 
7.4.3 Will clearly define the limits and duration of authorization of users authorized to access special personal data. 
7.4.4 Will periodically carry out authority checks. 
7.4.5 Immediately removes the authority of employees who have changed their duties or left their jobs in this area and immediately cancels the inventory allocated to the relevant employee. 
7.5. In case of transfer to Specially Qualified Electronic Media(Özel Nitelikli Elektronik Ortam), in relation to the electronic media in which Specially Qualified Personal Data is processed, stored and accessed the Company will: 
7.5.1 Maintain Specially Qualified Personal Data using cryptographic methods. 
7.5.2 Keep cryptographic keys safe and in different environments. 
7.5.3 Securely log the transaction records of all transactions performed on specially qualified personal data. 
7.5.4 Constantly monitor security updates for environments where special personal data is available, regularly conduct/conduct the necessary security tests, and record the test results. 
7.5.5 If personal data is accessed through software, it will make user authorizations of this software, conduct/conduct security tests of this software regularly, and record test results. 
7.5.6 Provide at least a two-stage authentication system in the event of remote access to specially qualified personal data. 
7.6. In the case of processing of Specially Qualified Personal Data in a physical environment, in relation to the physical environments in which the data is processed, stored and/or accessed the company will make sure: 
7.6.1 According to the nature of the environment in which special personal data is located, adequate security measures (electricity leakage, fire, flooding, theft, etc. against situations) are taken. 
7.6.2 To prevent unauthorized entry and exit by ensuring the physical security of these environments. 
7.7. If private personal data is transferred, the Data Officer will: 
7.7.1 Use an encrypted corporate e-mail address or a registered e-mail (“cap”) account if personal data is required to be transferred via e-mail. 
7.7.2 If it is necessary to transfer personal data through media such as portable memory, CD, DVD, encrypt using cryptographic methods and keep the cryptographic key in a different environment. 
7.7.3 If special personal data needs to be transferred between servers in different physical environments, transfer between servers by setting up a VPN or by SFTP method. 
7.7.4 If the transfer of specially qualified personal data through the paper medium is necessary, take the necessary measures against risks such as theft, loss or unauthorized viewing of the document and send the document in the format of “documents with a degree of confidentiality”. 
7.8. In addition to the above regulations, the Committee and the Data Officer Contact Person shall act in accordance with the regulations of the KVK, especially the Personal Data Security Guide published by the board on ensuring the security of personal data, including special qualified data. 
7.9. In any case requiring the processing of Specially Qualified Personal Data, the Data Officer Representative is informed by the relevant employee. 
7.10. If it is not clear whether a data is personal data of special quality, an opinion is taken by the relevant department from the Data Officer Contact Person. 

8. RETENTION PERIOD OF PERSONAL DATA 
Personal data is stored within the company for the period of the relevant legal retention period and is stored for the period necessary for the realization of the activities associated with this data and the purposes specified in this policy. Personal data whose purpose of use has expired and the legal retention period has expired are deleted, destroyed or anonymized by the company in accordance with Article 7 of the KVKK. 

9. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA 
9.1. When the legitimate purpose of processing personal data disappears, the relevant personal data is deleted, destroyed or anonymized. Cases where personal data must be deleted, destroyed or anonymized are followed by the Data Officer Contact Person and the Committee. 
9.2. The Data Officer Contact Person and Committee are responsible for the operation of the deletion, destruction and anonymization processes. In this context, the necessary procedure is created by the representative of the Data Officer and the Committee. 
9.3. All deletion, destruction and anonymization activities that the Company will implement on personal data will be carried out in accordance with the principles set out in the data destruction procedure. 

10. TRANSFER OF PERSONAL DATA AND PROCESSING OF PERSONAL DATA BY THIRD PARTIES 
The Company may transfer personal data to a third natural or legal entity located at home and/or abroad in accordance with KVK regulations, taking the necessary measures for personal data processing purposes. In this case, the company ensures that third parties to which it transfers personal data also comply with this policy. In this context, the necessary protective arrangements are added to the contracts concluded with the third party. The article to be added to contracts concluded with third parties that transmit any personal data is obtained from the contact person responsible for the data. Each employee is obliged to participate in the process contained in this policy in the case of personal data transfer. If the third party to which the personal data is transferred requests changes in the article transmitted by the Data Officer Contact Person, the situation is immediately notified by the employee to the Data Officer Contact Person. 
10.1. Transfer Of Personal Data To Third Parties Located In Turkey 
10.1.1. Personal data may be transferred by the company to third parties located in Turkey (Article 5.1 and Article 6.2) without direct consent in exceptional cases set out in Article 5.2 of the KVKK and Article 6.3, provided that adequate measures are taken, or in other cases with the condition that the explicit consent of the person concerned is obtained. 
10.1.2. Company employees and the contact person responsible for the data are mutually responsible for ensuring that the transfer of personal data to third parties located in Turkey complies with the regulations of the KVK. 
10.2. Transfer Of Personal Data To Third Parties Abroad 
10.2.1. Personal data may be transferred by the company to third parties located abroad without direct consent in exceptional cases set out in Article 5.2 and Article 6.3 of the KVKK, or in other cases with the condition of obtaining the direct consent of the person concerned (Article 5.1 and Article 6.2 of the KVKK). 
10.2.2. In the event that personal data is transferred without direct consent in accordance with KVK regulations, there must also be one of the following conditions in respect of the foreign country in which it will be transferred: 
10.2.2.1 The foreign country in which the personal data is transferred has the status of countries where there is sufficient protection by the Board (please follow the current list of the board for a list), 
10.2.2.2 If the foreign country in which the transfer will take place is not included in the board’s list of safe countries, the company and its data officers in the relevant country receive permission from the board by making a written commitment that adequate protection will be provided. 
10.2.3. Company employees, the Committee and the Contact Person are mutually responsible for ensuring that the transfer of personal data to third parties abroad complies with KVK regulations. 

11. COMPANY’S LIGHTING OBLIGATION 
11.1. The Company Is The 10th Company Of Kvkk. In accordance with its article, it illuminates the relevant persons before the processing of personal data. In this context, the Company fulfils its obligation to illuminate when obtaining personal data. The notification to the relevant persons within the scope of the lighting obligation includes the following elements, respectively: 
11.1.1. Identity of the data controller and, if any, its representative, 
11.1.2. For what purpose personal data will be processed, 
11.1.3. To whom and for what purpose the processed personal data may be transferred, 
11.1.4. Method and legal reason for collecting personal data, 
11.1.5. The rights of the persons concerned as specified in Article 11 of the CPC. 
11.2. The Company Is The 20th Anniversary Of The Constitution Of The Republic Of Turkey. and kvkk’s 11. If the relevant person requests information in accordance with the article, he / she makes the necessary information. 
11.3. If requested by the relevant persons in accordance with the KVKK regulations, the Company shall notify the relevant person requesting the processed personal data. 
11.4. The employee, committee and Data Officer contact person following the relevant process are responsible for ensuring that the necessary disclosure obligation is met before the processing of personal data. In this context, in order to report each new data processing process to the Committee, the necessary KVK procedure is created by the Data Officer Contact Person and the Committee. 
11.5.If the data processor is a third party other than the company, it must be committed by the third party before the start of processing personal data by a written agreement in which the third party will act in accordance with the above-mentioned obligations. In cases where third parties transfer personal data to the company, the item to be added to the contracts is obtained from the contact person responsible for the data. Each employee is obliged to participate in the process contained in this policy in the event that personal data is transferred to the company by a third party. If the third party transferring the personal data requests a change in the article transmitted by the Data Officer Contact Person, the Data Officer Contact Person will immediately notify the employee of the situation. 

12. RIGHTS OF THE PERSON CONCERNED 
12.1. The company responds to the requests of the Relevant Persons with whom it holds personal data in accordance with the KVK regulations, as stated below: 
12.1.1. Learning whether personal data is processed by the company, 
12.1.2. Request information regarding the processing of your personal data, 
12.1.3. Learning the purpose of processing personal data and whether it is used for its purpose, 
12.1.4. Knowledge of third parties where personal data is transferred at home or abroad, 
12.1.5. Request correction if personal data is incomplete or incorrectly processed by the Company, 
12.1.6. Request the deletion or destruction of personal data by the company if the reasons requiring the processing of personal data are eliminated for evaluation within the principles of purpose, duration and legitimacy, 
12.1.7. Request that these transactions be notified to third parties where personal data is transferred if personal data is corrected, deleted or destroyed by the company, 
12.1.8. If the processed personal data is analyzed exclusively through automated systems, object to this result in the event of a result against the person concerned, 
12.1.9. If the personal data is processed in violation of the law and therefore the person concerned is harmed, do not request removal of the damage. 

Related to the rights of persons to use and/or when processing personal data, the company thought he was not acting within the eşten of this policy the demands of situations, or your own personal company’s internet site by filling out the form on the demands set by the Data Protection Agency and by creating a way to carry the terms of which may change from time to time is given below e-mail address, The company may send an email (the email address registered in the system must be checked) or a secure electronic signature or mobile signature to the company’s cap address or again to the postal address located below and which may change from time to time with a wet signed petition by hand or through a notary and send personal data that may be added to them in the future by other methods determined by the Protection Agency. Current application methods and application content must be confirmed by legislation prior to application. 
Data Officer: Nuhdem Plastik Sanayi ve Ticaret A.Ş. 
Email: info@nuhdem.com.tr 
Adress: Tuzla Kimya Sanayicileri Organize Sanayi Bölgesi Melek Aras Bulvarı No: 20 34953 Tuzla, Istanbul / TURKEY
12.2. If the interested parties submit their requests for the rights listed above to the company in writing, the company will conclude the request free of charge within thirty days at the latest according to the nature of the request. If there is also a cost associated with the conclusion of claims by the Data Officer, the fees in the tariff determined by the Personal Data Protection Board may be requested by the Data Officer. 

13. DATA MANAGEMENT AND SECURITY 
13.1. The Company appoints a Data Officer Contact Person and creates a committee to fulfill its obligations under the KVK regulations, ensure and supervise the implementation of the KVK procedures necessary for the implementation of this policy, and make recommendations for their operation. 
13.2. All employees involved in the relevant process are responsible for the protection of personal data in accordance with this policy and KVK procedures. 
13.3. The company’s personal data processing activities are controlled by technical systems according to technological possibilities and application cost. 
13.4. Staff with knowledge of technical issues related to personal data processing activities are employed. 
13.5. Employees of the company are informed and trained for the protection and processing of personal data in accordance with the law. 
13.6. In order to ensure that employees who need to access personal data have access to such personal data, the necessary KVK policy is established in the company. The Data Officer Contact Person and Committee are responsible for creating and implementing this. 
13.7. Company employees can access personal data only within their defined authority and in accordance with the relevant access procedure. Any access and processing that the employee has made in such a way as to exceed his authority is illegal and is the reason for the termination of the employment contract for the right reason. 
13.8. If the company suspects that the security of the employee’s personal data has not been adequately provided, or if it detects such a vulnerability, it will immediately notify the Data Officer Contact Person. 
13.9. Detailed procedures for the security of personal data are established by the Data Officer Contact Person and the Committee. 
13.10. Each person allocated a company device is responsible for the safety of their devices allocated for their own use. 
13.11. Each company employee or person working within the company is responsible for the security of physical files contained in their area of responsibility. 
13.12. In the event that there are security measures requested or additional to be requested for the security of personal data in accordance with the KVK regulations, all employees are obliged to comply with additional security measures and ensure the continuity of these security measures. 
13.13. In accordance with technological advances, software and hardware including virus protection systems and firewalls are installed in order to store personal data in secure environments. 
13.14. Backup programs are used in the company to prevent loss or damage of personal data and adequate security measures are taken. 
13.15. Documents containing personal data in the company will be taken necessary measures to protect them with encrypted (encrypted) systems. In this context, personal data will not be stored in public areas and on the desktop. Files and folders containing personal data, documents etc. will not be moved to the desktop or public folder, information on company computers, USB, etc. without the prior written consent of the Data Officer Contact Person or Information Security Manager. It cannot be transferred to another device or taken out of the company. 
13.16. The Committee, together with Senior Management, is obliged to take technical and administrative measures to protect all personal data contained within the Company, to constantly monitor developments and administrative activities, and to prepare KVK procedures and to announce and ensure compliance with them within the Company. In this context, the Committee and the Data Officer Contact Person organize the necessary trainings to increase employee awareness. 
13.17. If a department within the company processes Specially Qualified Personal Data, that department will be informed by the committee about the importance, security and confidentiality of the personal data they process, and the relevant department will act in accordance with the committee’s instructions. Access to Specially Qualified Personal Data will be granted only to limited employees, and their listing and tracking will be made by the Committee. 
13.18. All personal data processed within the Company is considered “confidential information” by the Company. 
13.19. Company employees have been informed that their obligations to the security and confidentiality of personal data will continue after the end of the business relationship, and Company employees have been required to comply with these rules. 

14. EDUCATION 
14.1. The Company provides its employees with the necessary training in terms of policies and KVK procedures and KVKK regulations on the protection of personal data. 
14.2. In the trainings, special attention is paid to the definitions and practices for the protection of personal data of special quality. 
14.3. If a company employee accesses personal data physically or in a computer environment, the company provides training to its respective employee in these accesses (for example, the computer program accessed). 

15. CONTROL 
The company has the right to monitor at any time without any prior notice that all employees, departments and contractors of the company are acting in accordance with this policy and KVK regulations, and in this context conducts the necessary routine audits. The Committee and the Data Officer Contact Person create an audit procedure for these audits, submit it for approval by senior management, and ensure the implementation of this procedure. 

16. Violations 
16.1. Each employee of the company reports to the Committee a business, transaction or action that it considers to be contrary to the procedures and principles set out in the KVK regulations and in accordance with the Policy. In this context, the Committee for the relevant breach shall establish an action plan in accordance with this Policy and Information Security Breach procedures. 
16.2. As a result of the information made, the committee prepares a notification to the relevant person or institution regarding the violation, taking into account the provisions of the applicable legislation on this issue, especially the rules of the KVK. The contact person in charge of data conducts correspondence and communication with the institution. 

17. Responsibilities 
Responsibilities within the company are in the form of employee, department, Data Officer Representative respectively. In this context, the Committee responsible for the implementation of The Policy and the contact person responsible for the data are appointed by The Company’s Governing Body (Yönetim Kurulu) and changes in this scope are also made in the same way by the decision of the Governing Body. 

18. POLICY CHANGES 
18.1. The policy may be amended by the company with the approval of senior management when necessary. 
18.2. The company shares the updated policy text with its employees via email so that changes to the policy can be examined, or makes it available for employees and interested parties via the following website: www.nuhdem.com.tr