Protection of Personal Data
As our company "Hür Çelik Sanayi ve Dış Ticaret A.Ş.", we would like to inform you in the most transparent way about the "Law on the Protection of Personal Data" regulated on personal data in order to protect your fundamental rights and freedoms and the ways your personal data are collected, the purposes of processing, legal reasons and your rights within the scope of this Law.
Law No. 6698 on the Protection of Personal Data (hereinafter referred to as the "Law") entered into force on 07 April 2016 and contains regulations on the processing of all kinds of information relating to identified or identifiable natural persons.
This Hürçelik Personal Data Protection and Processing Policy ("Policy") contains the statements and explanations of HÜRÇELİK regarding the processing of personal data of natural persons in the categories listed below by Hür Çelik San. ve Dış Ticaret A.Ş. ("HÜR ÇELİK") within the scope of the Law. In this context, the application area of the Policy is the processing processes of personal data belonging to the following Data Subjects:
- Natural Customers (may be referred to as "Customer" or "User" for short)
- Corporate Customer Shareholders, Officers, Employees - Potential Customers (may be referred to as "Potential Customer" or "Potential User" for short) - Company Officers - Shareholders - Former Employees/Retirees - Business Partner Shareholders, Officers, Employees - Supplier Shareholders, Officials, Employees - Employees - Employee Candidates, Interns and Trainee Candidates - Business Partner Candidates - Supplier Candidates - Visitors - Press - Third Parties This Policy may be updated from time to time in order to adapt to changing conditions and legislation.
1. PURPOSE OF THE POLICY
Hür Çelik Sanayi ve Dış Ticaret A.Ş. is obliged to act in accordance with the legal legislation in force regarding the protection of personal data, especially the Constitution of the Republic of Turkey (hereinafter referred to as the "Constitution") and the Law No. 6698 on the Protection of Personal Data (hereinafter referred to as the "Law"), and HÜRÇELİK carries out the necessary work to operate in compliance with the said legal legislation and to protect personal data. Within the scope of these studies, Personal Data Protection and Processing Policy has been prepared by HÜRÇELİK. The definitions in the Policy are included in the annex of this Protocol (Annex-2). HÜRÇELİK undertakes to comply with national personal data protection regulations as part of its legal and social responsibility. This Policy includes HÜRÇELİK's statements and explanations regarding the protection and processing of personal data belonging to natural persons in the categories listed below by HÜRÇELİK within the scope of the Law and it is aimed to inform the persons related to these processes. HÜRÇELİK, which is the data controller in accordance with the Law and the relevant legislation, determines the basic principles adopted in the processing and protection of personal data, the administrative and technical measures taken for the protection of personal data, and the procedures and principles for determining the maximum period required for the purpose for which they are processed with this Policy. In this Policy, detailed explanations are given by HÜRÇELİK on which data are personal data, which personal data are stored, administrative and technical measures taken for the protection of personal data, and detailed explanations regarding the processing, storage, enlightening and informing the Relevant Persons, transferring and protecting personal data to third parties.
2. SCOPE OF THE POLICY
This Policy HÜRÇELİK customers, potential customers, employees, employee candidates, interns, intern candidates, HÜRÇELİK shareholders, HÜRÇELİK shareholders and officials, visitors, employees, shareholders and officials of business partner companies / institutions, supplier shareholders, officials, It is related to all personal data of employees, shareholders of corporate customers, officials, employees, business partners and supplier candidates, former employees and retirees, press and third parties, which are processed automatically or non-automatically provided that they are part of any data recording system. HÜRÇELİK, which is the data controller in accordance with the Law and the relevant legislation, determines the basic principles adopted in the processing and protection of personal data, the procedures and principles regarding the administrative and technical measures taken regarding the protection of personal data with this Policy. The following assets that process and store personal data within HÜRÇELİK and all processes related to these assets are covered by this Policy; All printed or written documents containing personal data, documents, files, all applications containing personal data All databases containing personal data, In this context; It is related to the personal data of HÜRÇELİK customers, potential customers, employees, employee candidates, interns, intern candidates, HÜRÇELİK shareholders, officials, suppliers, supplier employees, supplier employees, HÜRÇELİK website, workplace visitors, business partnership institution employees, shareholders and officials and third parties, which are processed by non-automatic means, provided that they are fully or partially automated or part of any data recording system, and/or collected within the scope of all legal data processing conditions stipulated by law. Anonymised and unidentifiable data, such as data that do not contain personal data obtained for statistical evaluations or studies, and data relating to legal entities are not considered personal data and data that cannot be attributed to a specific or identifiable person are not considered personal data and are not subject to this Policy. This Policy applies to HÜRÇELİK's real person customers as well as other real persons who do not have a specific framework agreement with HÜRÇELİK.
3. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
HÜRÇELİK, as the data controller pursuant to Article 4 of the Law, acts in accordance with the following principles in the processing of personal data: - Compliance with the law and honesty rules: Hürçelik acts in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data; attaches importance to processing personal data limited to the purpose of processing and taking into account the reasonable expectations of the Data Subjects. - Accuracy and timeliness: Data controllers should establish the necessary processes to ensure that the personal data they process are accurate and up-to-date. In this direction, HÜRÇELİK provides the opportunity for the Relevant Persons to update their data and takes the necessary measures to ensure the correct transfer of data to databases. - Processing for specific, explicit and legitimate purposes: Data controllers are obliged to inform the Data Subjects about the purposes of processing personal data in line with their disclosure obligations under the Law. In this direction, HÜRÇELİK, as the data controller, keeps data processing activities limited to specific and legitimate purposes and clearly informs the owners of the Relevant Person within the scope of the clarification texts regarding these purposes. Retention for the period stipulated in the relevant legislation or required for the relevant purpose: If a certain period is determined within the scope of the legislation in force, the data is kept for this period. If no such period is specified in the legislation, reasonable retention periods are determined by taking into account the purpose of data use and company procedures, and the data are kept limited to this period. Following the expiration of the aforementioned periods, the data are deleted, destroyed or anonymized in accordance with the company procedures.
4. PURPOSES OF PROCESSING PERSONAL DATA BY HÜRÇELİK
Articles 5 and 6 of the Law set forth the conditions for the processing of personal data and sensitive personal data. "Special categories of personal data" are listed in a limited manner in the Law and include data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. While Article 5 of the Law determines the conditions for processing non-special categories of personal data, the conditions for processing special categories of personal data are regulated in Article 6 of the Law. In accordance with the regulation in Article 5 of the Law, as a rule, HÜRÇELİK processes Personal Data with the explicit consent of the Data Subject. However, pursuant to paragraph 2 of Article 5 of the Law; it is also possible to process Personal Data in cases where there is no explicit consent. Accordingly; Personal data can also be processed by HÜRÇELİK in the presence of one or more of the conditions written in the following paragraphs.
However, pursuant to paragraph 2 of Article 5 of the Law; It is also possible to process Personal Data in the absence of explicit consent. Accordingly; Personal data can also be processed by HÜRÇELİK in the presence of one and / or more of the conditions written in the following paragraphs. Although the existence of only one of the conditions specified below is sufficient for personal data processing activity; more than one of the mentioned conditions may also be the basis of the same personal data processing activity. According to the aforementioned articles, non-special categories of personal data may be processed in the following cases: - Explicit consent of the Data Subject. - Data processing is explicitly stipulated by law. - It is mandatory to process the relevant data for the protection of the life or physical integrity of the person himself/herself or of another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid. - Provided that it is directly related to the establishment or performance of a contract, it is necessary to process personal data belonging to the parties to the contract. - Data processing is mandatory for the data controller to fulfill its legal obligation. - Personal data has been made public by the data subject himself/herself. - Data processing is mandatory for the establishment, exercise or protection of a right. - Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
5. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
5.1. Conditions for Processing Sensitive Personal Data
Personal data recorded as "specially reserved" within the scope of the Law due to the risk of causing discrimination or victimization of persons processed unlawfully are separately stated in this Policy due to these conditions. Storage of private personal data defined in the 1st paragraph of Article 6 of the Law is prohibited without the express consent of the Relevant Person, as specified in the 2nd paragraph of Article 6 of the Law. Paragraph 3 of Article 6 of the Law regulates the exceptions to this rule. By HÜRÇELİK; Personal data of private records are processed in accordance with the above-mentioned law article, with adequate maintenance to be determined by the Board. The law defines data regarding individuals' race, ethnic origin, political belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security practices, as well as biometric and genetic data as "private parts". ” or “sensitive” personal data and more severe conditions are stipulated for their maintenance. Accordingly, special comprehensive personal data can only be processed in cases where there is no explicit consent from the data owner: • Explicit consent of the Relevant Person is obtained, • Data of private data (race, ethnic origin of persons, political data) except for data regarding health and sexual life. , loyalty, religious, sectarian or other beliefs, appearance and dress, members of an association, foundation or union, criminal conviction and security-related data and biometric and genetic data) defined it as "special nature" or "sensitive" personal data and stipulated more severe conditions for its processing. Accordingly, special personal data can only be processed under the following conditions, except for cases where explicit consent has been obtained from the data owner: • There is explicit consent of the Relevant Person, • Special personal data other than data regarding health and sexual life (race, ethnic origin, political Processing is foreseen by law in terms of opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, data regarding criminal convictions and security measures, and biometric and genetic data), • In terms of data regarding health and sexual life processing by persons or authorized institutions and organizations under the obligation of confidentiality, for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing. 5.2. Personal data regarding natural persons in the categories specified in Annex-1 are processed by HÜRÇELİK for the following purposes: HÜRÇELİK processes Personal Data in cases where consent is required, in accordance with Articles 5 and 6 of the Law, for the purposes stated below and similar purposes. is processed by obtaining the approval of the Relevant Person within the scope of legal legislation: • Personal and contact data: Name-surname, telephone, e-mail information are used for product sales, accounting transactions, financial transactions and communication purposes. • Camera recordings: Ensuring physical space security. 5.3. Apart from the data-based purposes stated above, it may process the personal data of the Relevant Person or third parties specified by the Relevant Person for various purposes, including but not limited to those stated below. • To organize all records and documents that will be the basis for the transaction in electronic or paper environment, • To provide information to public officials upon request and in accordance with the legislation regarding public security issues. To be able to provide information, • To fulfill our legal obligations and to exercise the rights arising from the current legislation, • To ensure security within the company and in warehouses • Planning, Control and Execution of Information Security Processes • Execution of Emergency Management Processes • Establishing and Managing Information Technologies Infrastructure • Fringe Benefits for Employees and Benefits Planning and Execution • Management of Application and Selection and Placement Processes for Employee Candidates and Interns • Fulfillment of Employment Contract and Legislation Obligations for Employees • Execution of Fringe Benefits and Benefits Processes for Employees • Conduct of Audit / Ethics / Training Activities • Planning of All Access Authorizations and Execution • Event Management • Follow-up of Finance and/or Accounting Affairs • Conduct of Activities in Compliance with Legislation • Conduct of Commitment Processes for Company / Product / Services • Ensuring Physical Space Security • Execution of Assignment Processes • Follow-up and Execution of Legal Affairs • Internal Audit/Investigation/Intelligence Activities Execution • Conducting Communication Activities • Planning Human Resources Processes • Execution / Audit of Business Activities • Conducting Occupational Health / Safety Activities • Receiving and Evaluating Suggestions for Improvement of Business Processes • Execution of Business Continuity Ensuring Activities • Business Partners and/or Planning and Execution of Suppliers' Access to Information • Management of Relationships with Business Partners and/or Suppliers • Planning and Execution of Corporate Communication and Corporate Governance Activities • Ensuring the Security of Company Fixtures and/or Resources • Ensuring that Company Activities are Conducted in Compliance with Company Procedures and/or Relevant Legislation Planning and Execution of Operational Activities Necessary for • Ensuring the Security of Company Operations • Planning and/or Execution of the Company's Financial Risk Processes • Planning and/or Execution of the Company's Production and/or Operational Risk Processes • Performing Corporate and Partnership Law Transactions • Contract Processes and/or Legal Tracking of Demands • Planning and Execution of Supply Chain Management Processes • Planning and Execution of Production and/or Operation Processes • Planning and Execution of Market Research Activities for the Sales and Marketing of Products and Services, • Purchasing, Marketing and/or Sales Processes of Products and/or Services Planning and Execution, • Execution of After-Sales Support Services of Products and/or Services • Ensuring that Data is Accurate and Up-to-Date • Execution of Logistics Activities • Organization and Event Management • Conducting Marketing Analysis Studies • Conducting Performance Evaluation Processes • Execution of Risk Management Processes • Storage and Archive Execution of Activities • Execution of Contract Processes • Execution of Wage Policy • Ensuring the Security of Data Controller Operations • Execution of Investment Processes • Execution of Management Activities • Creation and Tracking of Visitor Records For detailed information regarding the personal data processing purposes in question, see ANNEX-3 (“ANNEX 3) of this Policy. - Personal Data Processing Purposes”) section.
6. TRANSFER OF PERSONAL DATA BY HÜRÇELİK
6.1. General Conditions for Transfer
Article 8 of the Law makes a distinction regarding the transfer of personal data according to whether the data is "personal data of special nature" or not. According to the aforementioned article, non-special personal data may be transferred to third parties if one of the processing conditions specified in Sections 5.2 and 5.3 above is met. In this regard, personal data; • The Relevant Person has express consent, • Data processing is clearly prescribed by law, • It is mandatory to process the relevant data in order to protect the life or physical integrity of the person who is unable to express his consent due to actual impossibility or whose consent is not given legal validity, or the life or physical integrity of another person, • A contract It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of the contract, • Data processing is mandatory for the data controller to fulfill its legal obligation, • Personal data has been made public by the relevant person himself, • For the establishment, use or protection of a right. Data processing is mandatory, • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned, and HÜRÇELİK may share it with persons outside its legal entities.
Kanun’un 8. maddesi, özel nitelikli kişisel veriler açısından da Bölüm 5.1’de belirtilen işleme şartlarına atıf yapmış, ancak aktarım için ayrıca yeterli önlemlerin alınmış olmasını öngörmüştür. Buna göre HÜRÇELİK tarafından özel nitelikli kişisel veriler, • Sağlık ve cinsel hayata ilişkin veriler dışındaki özel nitelikli kişisel veriler (kişilerin ırkı, etnik kökeni, siyasi düşüncesi, felsefi inancı, dini, mezhebi veya diğer inançları, kılık ve kıyafeti, dernek, vakıf ya da sendika üyeliği, ceza mahkûmiyeti ve güvenlik tedbirleriyle ilgili verileri ile biyometrik ve genetik verileri) açısından işlemenin kanunlarda öngörülmesi, ve • Sağlık ve cinsel hayata ilişkin veriler açısından kamu sağlığının korunması, koruyucu hekimlik, tıbbı teşhis, tedavi ve bakım hizmetlerinin yürütülmesi, sağlık hizmetleri ile finansmanının planlanması ve yönetimi amacıyla, sır saklama yükümlülüğü altında bulunan kişiler veya yetkili kurum ve kuruluşlar tarafından işlenmesi, amaçlarına tabi olarak, her halükarda yeterli önlemlerin alınması sonrasında üçüncü kişilerle paylaşılmaktadır.
HÜRÇELİK may transfer personal data to the following categories of recipient groups in accordance with Articles 8 and 9 of the Law: - Legally Authorised Public Institution, - Legally Authorised Private Institution, - Business Partner, - Supplier shareholders and employees - HÜRÇELİK shareholders, employees - Direct/indirect domestic/foreign subsidiaries, - Program partner institutions and organisations with which we cooperate in order to carry out our activities, - Domestic/foreign persons and institutions from which we receive data storage services in the cloud environment, - Contracted banks, - Domestic/foreign related business partners
6.2. Transfer Abroad
Personal data is transferred abroad by HÜRÇELİK; • In case the Relevant Person has express consent, or • In cases where the Relevant Person does not have express consent, but one or more of the other conditions mentioned above are met; • If there is adequate protection in the country to which the data is transferred, or • If there is not sufficient protection in the country to which the data is transferred, it can be transferred provided that the relevant HÜRÇELİK undertakes adequate protection in writing together with the data controller in the relevant foreign country and the permission of the Personal Data Protection Board is obtained. In this context, it can be processed and stored on the servers and electronic media/overseas servers/cloud computing systems used.
7. PERSONAL DATA PROCESSED BY HÜRÇELİK
The categories of Personal Data processed by HÜRÇELİK are included in Annex-1.
8. PROCEDURE FOR PROCESSING PERSONAL DATA BY HÜRÇELİK
8.1. As stipulated in the Law, during the collection of personal data, HÜRÇELİK informs the Relevant Persons about the purpose for which it processes personal data as the data controller, to whom and for what purposes it can transfer the processed personal data, the personal data collection method and legal reason, and the rights of the Relevant Person. 8.2. If any process requires explicit consent in accordance with the Law, express consent is obtained from the Relevant Person after the above-mentioned information is provided by HÜRÇELİK.
9. STORAGE AND DESTRUCTION OF PERSONAL DATA BY HÜRÇELİK
9.1. When determining the storage period of personal data, HÜRÇELİK takes into consideration the legislation in force and the purposes of processing the data subject to the process. In any case, HÜRÇELİK determines the retention periods in the light of its legal obligations and relevant statute of limitations. 9.2. In accordance with the obligation to delete, destroy or anonymise personal data stipulated in the Turkish Penal Code, the Law and other relevant legislation, although HÜRÇELİK has processed it in accordance with the Law and other legislation, in case the purpose of data processing is eliminated, personal data shall be transferred to HÜRÇELİK. It is deleted, destroyed or anonymized based on the decision made by you or the request of the personal data owner.
ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA
HÜRÇELİK takes all necessary precautions, within the limits of possibility, depending on the nature of the data to be protected, in order to prevent unlawful disclosure, access, transfer of personal data or security deficiencies that may occur in other ways. In this context, all necessary (i) administrative and (ii) technical measures are taken by HÜRÇELİK, (iii) an audit system is established within HÜRÇELİK and (iv) in case of illegal disclosure of personal data, actions are taken in accordance with the measures stipulate
9.3. Administrative Measures Taken by HÜRÇELİK to Ensure the Processing of Personal Data in accordance with the Law and to Prevent Unlawful Access to Personal Data:
There are disciplinary regulations for employees that include data security provisions. • Training and awareness activities are carried out at regular intervals for employees regarding data security. • An authority matrix has been created for employees. • Corporate policies on access, information security, use, storage and destruction have been prepared and implemented. • Confidentiality commitments are made. • The authorities of employees who change their duties or leave their jobs in this area are removed. • Signed contracts contain data security provisions. • Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format. • Personal data security policies and procedures have been determined. • Personal data security issues are reported quickly. • Personal data security is monitored. • Necessary security measures are taken regarding entry and exit to physical environments containing personal data. • Physical environments containing personal data are secured against external risks (fire, flood, etc.). • The security of environments containing personal data is ensured. • Personal data is reduced as much as possible. • Periodic and/or random audits are carried out within the institution. • Protocols and procedures for the security of special personal data have been determined and implemented. • Data processing service providers are made aware of data security.
9.4. Technical Measures Taken by HÜRÇELİK to Ensure the Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data:
• Regarding the processing and protection of personal data by HÜRÇELİK, technical measures are taken to the extent technology allows, and the measures taken are updated and improved in parallel with the developments. • Network security and application security are ensured. • A closed system network is used for personal data transfer via the network. • Key management is implemented. • Security measures are taken within the scope of information technology systems procurement, development and maintenance. • Access logs are kept regularly. • Data masking measures are applied when necessary. • Up-to-date anti-virus systems are used. • Firewalls are used. • Personal data is backed up and the security of the backed up personal data is ensured. • User account management and authorization control system is implemented and these are also monitored. • Periodic and/or random audits are carried out within the institution. • Log records are kept without user intervention. • Current risks and threats have been identified. • Intrusion detection and prevention systems are used. • Penetration testing is applied. • Cyber security measures have been taken and their implementation is constantly monitored. • Encryption is done. • Sensitive personal data transferred on removable memory, CD, DVD media is encrypted. • Data loss prevention software is used. 9.5. Methods to be Applied and Measures to be Taken in Case of Unlawful Disclosure of Personal Data Within the scope of personal data processing activities carried out by HÜRÇELİK, in case personal data is obtained by unauthorized persons unlawfully, the situation will be reported to the Board and Relevant Persons without delay.
10. CLARIFICATION OF RELATED PERSONS
In accordance with Article 10 of the Law, HÜRÇELİK informs the Relevant Person during the acquisition of personal data. In this context, it clarifies the identity of HÜRÇELİK and its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the Relevant Person. T.R. Article 20 of the Constitution states that everyone has the right to be informed about their personal data. In this regard, Article 11 of the Law includes the right to "request information" among the rights of the personal data owner. In this context, HÜRÇELİK, T.R. In accordance with Article 20 of the Constitution and Article 11 of the Law, it provides the necessary information if the Relevant Person requests information. Detailed information about the rights of the Relevant Person is included in section 12.1 of this Policy (“Rights of the Relevant Person”).
11. RIGHTS OF THE RELATED PERSON AND THE USE OF THESE RIGHTS
11.1. Rights of the Relevant Person
Kişisel Veri’lere ilişkin olarak Kanun’un 11. Maddesi uyarınca İlgili Kişi’nin HÜRÇELİK’ten talep edebileceği yasal haklar aşağıda sayılmaktadır: (1) Kişisel verilerinin işlenip işlenmediğini öğrenme, (2) Kişisel verileri işlenmişse buna ilişkin bilgi talep etme, (3) Kişisel verilerinin işlenme amacını ve bunların amacına uygun kullanılıp kullanılmadığını öğrenme, (4) Kişisel verilerinin yurt içinde veya yurt dışında aktarıldığı üçüncü kişileri öğrenme, (5) Kişisel verilerinin eksik veya yanlış işlenmiş olması halinde bunların düzeltilmesini isteme ve bu kapsamda yapılan işlemin kişisel verilerinin aktarıldığı üçüncü kişilere bildirilmesini isteme, (6) Kanun ve ilgili diğer kanun hükümlerine uygun olarak işlenmiş olmasına rağmen, işlenmesini gerektiren sebeplerin ortadan kalkması halinde kişisel verilerinin silinmesini veya yok edilmesini isteme ve bu kapsamda yapılan işlemin kişisel verilerinin aktarıldığı üçüncü kişilere bildirilmesini isteme, (7) İşlenen verilerinin münhasıran otomatik sistemler vasıtasıyla analiz edilmesi suretiyle aleyhine bir sonucun ortaya çıkmasına itiraz etme, (8) Kişisel verilerinin kanuna aykırı olarak işlenmesi sebebiyle zarara uğraması halinde zararın giderilmesini talep etme.
11.2. Situations in which the Relevant Person Cannot Assert His Rights
In the cases listed in Article 28 of the Law, the Relevant Person will not be able to assert the rights listed in section 12.1 (“Rights of the Relevant Person”). Because these situations are excluded from the scope of data protection specified in the Law. Within the scope of the said article, the following cases are listed: (1) Processing of personal data for purposes such as research, planning and statistics by anonymising them with official statistics, (2) Personal data is processed entirely by real persons, provided that they are not given to third parties and obligations regarding data security are complied with. or processing within the scope of activities related to family members living in the same residence. (3) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime, (4) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public security, public order or economic security, (5) Investigation, prosecution of personal data processing by judicial authorities or enforcement authorities regarding trial or execution proceedings. Pursuant to the 2nd paragraph of Article 28 of the Law, the Relevant Person cannot assert other rights listed in section 12.1 (“Rights of the Relevant Person”), except for the right to request compensation for the damage in the cases listed below: (1) Personal data processing It is necessary for the prevention of crime or criminal investigation, (2) Processing of personal data made public by the personal data owner, (3) Processing of personal data is carried out by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, based on the authority granted by the law, and their supervisory or regulatory duties. (4) Personal data processing is necessary to protect the economic and financial interests of the state regarding budget, tax and financial matters.
11.3. Relevant Person's Exercise of His Rights
The Relevant Person may submit his/her requests regarding the rights numbered in section 12.1 (“Rights of the Relevant Person”) of this Policy by filling out the “Hür Çelik Sanayi ve Dış Ticaret Anonim Şirketi Relevant Person Application Form”; – a wet signed copy; by hand, through a notary, by registered letter to “Pelitli Mah. 4417. Sokak, No:30, Gebze-Kocaeli" or - By scanning the form and signing it with the secure electronic signature issued within the scope of the Electronic Signature Law No. 5070 and sending it via registered e-mail to hurcelik@hs03.kep.tr] or - By scanning the form The Data Controller has the right to send an e-mail to the e-mail address kvkk@hurcelik.com using the e-mail address registered in the Data Controller's system or to HÜRÇELİK by following another method prescribed by the Personal Data Protection Board. In order for third parties to request an application on behalf of the Relevant Person, the Relevant Person must have a special power of attorney issued through a notary on behalf of the person who will apply.
11.4. HÜRÇELİK's Response to the Applications
HÜRÇELİK takes all necessary administrative and technical measures to finalise the applications to be made by the Relevant Person in accordance with the effective, law and honesty rule. HÜRÇELİK has the right to accept the applications of the Relevant Person, as well as the right not to accept them, provided that the reason is explained. HÜRÇELİK may notify the relevant response to the Relevant Person in writing or electronically. In the event that the Relevant Person submits his/her request regarding the rights under section 12.1 ("Rights of the Relevant Person") to HÜRÇELİK in accordance with the procedures referred to in section 12.3 ("Exercise of Rights by the Relevant Person"), HÜRÇELİK shall finalise the request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee specified below may be charged. If HÜRÇELİK will respond to the application of the Relevant Person in writing, no fee will be charged up to ten pages, but for each page above ten pages, 1,00-TL (one Turkish Lira) transaction fee may be charged as specified in the Law and other relevant legislation.
