Personal Data Protection Policy

At Elastron, we care about the privacy and security of your personal data. In this context, we would like to inform you about how we process the personal data we receive from our customers, suppliers, business partners, their employees and officers, and any other third parties in the course of conducting our business, for what purposes we use / how we protect it.

All concepts and expressions used in this statement are intended to express the meaning ascribed to them in the Personal Data Protection Law (PPDL) No. 6698 and other laws. The term "you" in this statement refers to you personally. The term personal data is used to include sensitive personal data. The meanings of the terms and abbreviations in the policy are included in the APPENDIX - Abbreviations section.  

We would like to remind you that if you do not accept the policy, you should not share your personal data with us. If you choose not to provide us with your personal data, we may not be able to provide you with our full range of services, respond to your requests, or ensure the full functionality of our services.

We would like to remind you that it is your responsibility to ensure the personal data you share with our company is accurate, complete, and current to the best of your knowledge. In addition, if you share other people's information with us, it shall be your responsibility to collect that information in accordance with local legal regulations. This shall mean that you have obtained all necessary permissions from the said third party for us to collect, process, use, and disclose their data, and our company cannot be held responsible in this regard.

ABOUT ELASTRON

Elastron is a global thermoplastic elastomer (TPE) manufacturer located in Turkey. It has production facilities in Turkey and North America. Additionally, the company has offices in North America, China and Germany, exporting to more than 50 countries.

The terms "we" or "Company" or "Elastron" in the Policy are used for data processing activities carried out as a data controller by Elastron Kimya Sanayi ve Ticaret A.Ş. ("Elastron"), having its registered head office at İkitelli OSB Mah. Heskoop J Blok Sok. No.: 18 Başakşehir / İstanbul ,registered in the Commercial Register of Istanbul under number 174338.

OUR PERSONAL DATA PROCESSING PRINCIPLES

All personal data processed by our company are processed in accordance with the PPDL and the relevant legislation. The basic principles and principles that we pay attention to when processing your personal data in accordance with Article 4 of the PPDL are explained below:

  • Lawful processing and integrity: Our company acts in accordance with legal arrangements/principles and the general rule of trust and honesty when processing personal data. In doing so, our company takes into account the principle of proportionality for the processing of personal data and uses personal data only as intended.
  • Ensuring Personal Data Is Accurate and Updated as Necessary: Our company ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of personal data subjects and its own legitimate interests.
  • Processing for Specific, Explicit, and Legitimate Purposes: Our company processes personal data only for legitimate and lawful purposes. Our company processes personal data to the extent necessary and in connection with the products and services offered.
  • Being Strictly Related/Limited/Proportional to the Purpose for which they are processed: Our company processes personal data in a way that is suitable for the realization of the determined purposes avoiding the processing of personal data that is not related to the purpose or that is not needed.
  • Storage of Data for as Long as Required for their Processing or as Stipulated in the Relevant Legislation: Our company stores personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, our company first determines whether the relevant legislation provides for a time limit for the storage of personal data, if there is a time limit, it acts in accordance with it and if there is none, it stores personal data for the length of time required to fulfill the purpose for which they are processed. Personal data are erased, destroyed or anonymized by our company when the time limit has expired or the reasons for processing them no longer apply.

DATA SUBJECT CATEGORIES

The categories of data subjects other than employees (including interns and subcontractor employees), whose personal data are processed by our company, are listed in the table below.  A separate policy regarding the processing of personal data of our employees was drafted, applicable across all company units. Persons outside of the following categories can also forward their requests to our Company within the scope of the PPDL, which will be duly processed.

CATEGORIES OF DATA SUBJECTS

DESCRIPTION

Customer

Natural or legal persons who purchase our products

Potential Customer

Natural or legal persons who requested to buy/benefit from our products or showed an interest in buying/benefiting from our products or were assumed to have such an interest, based on precedent/rules of honesty

Visitor

Real persons who have entered the physical facilities (offices, etc.) owned or organized by our company for various purposes or visited our websites

Third Person

Third-party real persons (e.g. guarantors, companions, family members and relatives) who are related to these persons in order to ensure the security of commercial transactions between our company and the above-mentioned parties or to protect the rights of the aforementioned persons and to obtain benefits or all-natural persons whose personal data must be processed by the Company for a specific purpose (e.g. ex-employees) under the Policy

Employee / Intern Candidates

Real persons who have applied to our Company for a job by any means or made their CV and related information available for a Company review

Group Company Employee

Employees and representatives of PEC Global group companies based in Turkey, of which our company is a member

Employees, Shareholders, Officials of Institutions We Cooperate With

Real persons, including shareholders and officials, working in institutions (including but not limited to business partners, suppliers, etc.) with which our company has a business relationship

 

WHEN DO WE COLLECT PERSONAL DATA ABOUT YOU?

We collect your personal data mainly in the following situations

  • When you buy or use our products,
  • When you sell goods or provide services to us,
  • When you subscribe to our newsletters, choose to receive our marketing messages,
  • When you contact us to submit a complaint or feedback via means such as e-mail, telephone, or online messaging,
  • When you apply for a job in our company,
  • When you attend our company events, seminars, conferences and organizations,
  • When you contact us for any purpose as a potential customer/supplier/business partner/subcontractor.

We will comply with this policy when processing personal data obtained from these sources.

WHAT PERSONAL DATA DO WE PROCESS?

The personal data we process varies according to the type of business relationship between you and us (e.g. customer, supplier, business partner, etc.) and how you chose to contact us (eg telephone, e-mail, printed documents, etc.).

Basically, our ways of processing personal data depend on your participation in our business events, surveys, or interaction with us, by phone or e-mail. In this context, the personal data we process about you can be organized under the following categories:

Data categories

Samples

Personal identifying information

Information contained in identity documents such as name, surname, title, date of birth

Contact information

Email, phone number, address

Images and/or videos that can reveal your identity

Photo and video images and audio data processed for security reasons when you visit our company or when you attend events organized by our company

Financial data

Bank account data, billing information

Any other information you decide to voluntarily share with Elastron

Personal data you share on your own initiative, your feedback, opinions, requests and complaints that you send to us, evaluations, comments and our evaluations regarding them, uploaded files, areas of interest, the information we review in detail before establishing a business relationship with you

Electronic data collected automatically

When you visit or use our website, subscribe to our newsletters, interact with us through other electronic channels, we may also collect electronic data sent to us by your computer, mobile phone or other access devices (e.g. country, city, device) in addition to the information you transmit directly to us (e.g., your country/city of residence, device hardware model, IP address, operating system version and settings, time and duration for which you use our digital channel, links you click on, etc.)

Legal proceedings and compliance information

Your personal data processed within the scope of determination and monitoring of our legal rights, the performance of our debts and compliance with our legal obligations and our company's policies, audit and inspection data, personal data processed within the scope of issuing invoices for stores due to the execution of customer invoicing processes

Corporate Customer/Supplier data

Information obtained as a result of operations carried out by our business units within the framework of the sale of our products about data subjects such as customer/supplier or employee, authorized signatory of the customer/supplier

Incident management and security information

Information and assessments about events that have the potential to affect our company's employees, directors or shareholders, license plate and vehicle information, transportation and travel information

Health information

Health report

Occupational data

Education status, certificates

Personal Information

Retirement information, employment statement issued by the Social Security Administration

Personal data collected from other sources

To the extent permitted by applicable laws and regulations, we may also collect your personal data through public databases, methods and platforms where our business partners collect personal data on our behalf. For example, prior to establishing a business relationship with you, we may conduct research about you from publicly available sources to ensure the technical, administrative and legal security of our business activities and transactions. In addition, some personal data belonging to third parties may be transmitted to us by you (e.g., personal data of guarantors, companions, family members, etc.). In order for us to manage our technical and administrative risks, we may process your personal data using methods consistent with generally accepted legal and commercial practices and rules of honesty.

 

PROCESSING OF PERSONAL DATA OF EMPLOYEE CANDIDATES

In addition to the above categories of personal data we collect from employee candidates, we collect other data from employee candidates, such as what school they graduated from, previous work experience, qualifications, disabilities, etc. to assess the candidate's suitability for the vacant position, to verify the accuracy of the information provided and to conduct research on the candidate by contacting third parties whose contact information the candidate has provided, to contact the candidate about the job application process, to choose a fitting candidate for the vacant position, to ensure compliance with legal requirements and to implement our company's hiring rules and human resources policies.

Personal data of employee candidates are processed via application forms in written and electronic media, electronic application platform of our company, applications submitted physically or by e-mail to our company, interviews conducted in person or electronically or through employment and consulting companies, background checks about the employee candidate by our company, recruitment tests by HR specialist to evaluate the suitability of the candidate for the position.

Employee candidates are informed in detail in accordance with the PPDL by means of a separate document prior to the transfer of their personal data when applying for a job, and their explicit consent is obtained for necessary personal data processing operations

PROCESSING PERSONAL DATA OF OUR VISITORS IN OUR OFFICES

Our company processes the personal data of visitors to its building for the purposes of ensuring the physical safety of our Company, our employees, and visitors when entering/exiting the building, and for purposes of auditing workplace rules. In this context, the name, surname, and Turkish citizenship numbers of our visitors are validated and noted in the guest book, for the purpose of tracking visitors entering and exiting the building. However, the ID card of the visitor is not kept by security staff during his/her stay in the company, which is given back to the visitor after the aforementioned record is made in the guest book.

During the ID check at the gates, the visitor is informed about the processing of his/her personal data via an information text before the data are received. However, since our company has legitimate interests in this context, the explicit consent of the visitor is not obtained as per article 5/2/f of the PPDL. These data are only physically kept in the visitor registry book and are not transferred to another medium unless there is a suspicious situation that may threaten the Company's security. However, this information can be used to prevent crime or ensure the Company's security.

In addition, our Company may provide internet access to visitors during their stay in the Company's offices for the purposes of ensuring security and for the purposes specified in the policy. In this case, the log records of your internet access are recorded in accordance with Law No. 5651 and the mandatory provisions of the legislation arranged according to this law. These records are only processed when requested by authorized public institutions and organizations or in order to fulfill our legal obligations in the audit processes to be carried out within the Company.

Only a limited number of Elastron employees can access the log records obtained for this purpose. Company employees who have access to these records access those records in response to requests from authorized public institutions and organizations, or during audits, and share them with persons authorized by law.

PROCESSING PERSONAL DATA THROUGH CLOSED CIRCUIT CAMERA RECORDING

In order to ensure the security of our company and facility, security cameras are used and personal data are processed in this way. Our company deploys surveillance cameras for the following purposes: to increase the quality of the service provided, to ensure the security of the physical premises of the company and the physical safety of people inside the company, to prevent abuses, and to protect the legitimate interests of data subjects.

Personal data processing activities carried out by our company with security cameras are carried out in accordance with the Constitution, the PPDL, Law No. 5188 on Private Security Services, and relevant legislation.

Our company processes personal data in a limited and measured way for the relevant purposes as per article 4 of the PPDL. The privacy of persons is not subject to monitoring in a way that may result in an intervention exceeding security purposes. In this context, data subjects are informed by placing warning signs in common areas where CCTV recordings are made. However, since our Company has a legitimate interest in keeping CCTV records, their explicit consent is not obtained. In addition, as per Article 12 of the PPDL, necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of CCTV monitoring.

Also, a procedure has been prepared regarding the areas with CCTV cameras, the monitoring areas of the cameras, and the recording periods, and put to practice across our Company. This procedure is taken into account before a CCTV camera is placed. It is not allowed to place cameras to an extent that exceeds the security purpose and violates the privacy of people. Only a certain number of Company personnel are authorized to access CCTV footage and these authorizations are regularly reviewed. Personnel who have access to these records sign a letter of undertaking stating that they will protect personal data in accordance with the law. 

In order to ensure the security of the building, images are recorded by means of a total of 60 security cameras located in the entrance doors, building exteriors, production areas, cafeteria, floor corridors in company compounds, and the recording process is supervised by the security unit.

FOR WHAT PURPOSES DO WE USE YOUR PERSONAL DATA?

Our purposes for using your personal data vary depending on the type of business relationship between you and us (e.g. customer, supplier, business partner, etc.). Basically, our purposes for processing your personal data are listed below. Personal data processing activities regarding Employee Candidates are explained under the "Processing Personal Data of Employee Candidates" section above.

 

Why We Process your Personal Data

 

Samples

Assessment of potential suppliers/business partners

Conducting our review and conflict of interest process in accordance with our risk rules

Establishment and management of customer relations, execution and conclusion of the contract process with our suppliers/business partners

Performing the sales transactions of our company's products, submitting offers regarding our products, conducting the necessary tests for our customers who want to try our products before the sale, supplying goods, invoicing (including e-invoice and return invoice processes), monitoring of invoices for our customers and suppliers who do not use e-invoice through the e-archive system, establishing and performing contracts, ensuring post-contract legal transaction security, post-sales product tests and eliminating existing problems if necessary, improving our services, evaluating new technologies and applications, and determining and implementing our company's commercial and business strategies, managing operations (demand, offer, evaluation, order, budgeting, contract), providing product transportation organizations, executing financial operations and making reconciliations with our suppliers and customers in this context, managing financial affairs of the company, conducting the check, promissory note and mortgage processes, offering alternatives to the legal/real persons with whom it has commercial relations, visiting existing customers and dealers, archiving contracts, carrying out translation operations when required by our business relations, performing damage accounting within the scope of insurance transactions, notification of damages to the company and in this context, making expert examinations and receiving payments, checking the compliance of supplier companies with quality standards and carrying out the necessary audits in this context, carrying out documentation studies within the framework of quality standards, organizing the trips of engineers and technical employees visiting Elastron within the scope of business trips, travel arrangement of customer/dealers, issuance of in-plant work permits, cooperation with universities within the scope of R&D, organization of R&D training, performing central inspections, cooperating with universities within the scope of R&D, organizing R&D training,

Execution of direct marketing processes

Sending marketing messages about our services by email and phone, conducting satisfaction surveys or evaluating your opinions, complaints, and comments on social media, online platforms, or other channels, responding to them, informing our customers about company innovations, performing marketing activities with participants at company events, sharing of photos taken at trade shows as part of social media activities, conducting interviews as part of conducting press activities and providing information about the interviews, responding to customers requesting catalogs through the mobile application and website, conducting emailing activities after our participation in trade shows

Contact and support (upon your request)

Answering requests for information about our services, providing support for requests received through our communication channels, keeping our records and updating our database (in connection with the process of creating new customers and new dealer cards), communicating with customers and suppliers in fairs we attend, exchanging business cards, finding solutions based on the complaint reports received by our sales or quality control units and reporting the actions taken

Compliance with legal obligations

Execution of tax and insurance processes, fulfillment of our legal obligations arising from the relevant legislation, especially Law No. 5651 and other legislation, Law No. 6563 on the Regulation of Electronic Commerce and other legislation, the Turkish Penal Code No. 5237 and Personal Data Protection Law No. 6698, carrying out the necessary processes at official institutions, record keeping and information obligations, compliance and auditing, audits and inspections of official authorities, tracking and concluding our legal rights and lawsuits, performing processes within the scope of compliance with the laws and regulations that we are subject to such as data disclosure upon the request of official authorities, executing the relevant processes with regulatory and supervisory agencies, within the scope of the requirements and obligations in order to ensure the fulfillment of the legal obligations specified in the PPDL as required or mandated by the legal regulations

Protection and safeguarding of company interests

Carrying out the necessary audit activities for the protection of the company's interests, checking for conflicts of interest, ensuring the legal and commercial security of the people who have a business relationship with our company, keeping CCTV records for the protection of company devices and assets, taking technical and administrative security measures and working on the development of the services we provide, execution, implementation and supervision of workplace rules, planning and execution of social responsibility activities, protection of the commercial reputation and trust of PEC Global group companies, reporting all incidents, accidents, complaints, theft etc. that occur inside the building and taking precautions, conveying the rules to be followed for dangerous situations that may occur during maintenance and repair, measuring the professional competence of the subcontractors, regulating entrance and exit of company employees to/from the building and obtaining the necessary information in terms of safety, carrying out the necessary quality and standard inspections, or fulfilling our reporting and other obligations determined by laws and regulations, evaluating the suitability of suppliers to do active work on the field

Planning and execution of company commercial activities

Conducting communication, market research, and social responsibility activities and purchasing transactions carried out by our Company in line with the purpose of determining, planning, and implementing the Company's commercial policies in the short, medium, and long term, determining and implementing commercial and business strategies, 

Reporting and auditing

Ensuring communication with PEC Global group companies based in Turkey, carrying out necessary activities, internal audit and reporting processes

Protection of rights and interests

Carrying out defenses against legal claims such as lawsuits and investigations brought against our company, mediation, executing the provisions of civil and public lawsuits

 

HOW DO WE USE YOUR PERSONAL DATA FOR MARKETING PURPOSES?

As marketing activities are not considered within the scope of the exceptions regulated in Articles 5/2 and 6/3 of the PPDL, we always obtain your consent as a rule to process your personal data within the scope of marketing activities. Our company may periodically send you messages about our products and events. Such communications may be sent to you via different channels such as email, telephone, SMS text messages, postal mail, and third-party social networks. 

In order to provide you with the best personalized experience, these communications can sometimes be tailored to your preferences (for example, based on the results we draw from your website visits or the links you click in our emails).

We conduct marketing activities and process your data for the purpose of presenting you offers for special products such as internet advertising, product advertisements, using Cookies for this purpose, making commercial offers considering your preferences, presenting special content and other benefits for sales and marketing activities, and other marketing and CRM activities based on your preferences, processing for the purpose of creating new product and service models, sending electronic commercial messages (such as newsletters, customer satisfaction surveys, product advertisements), sending gifts and promotions, corporate communication and organizing other events and invitations within this scope and providing information about these.

When required by applicable law, we will ask for your permission before starting the above activities. You will also be given the opportunity to withdraw (stop) your consent at any time. In particular, you can always stop marketing-related notifications from being sent to you by following the unsubscribe instruction included in every email and SMS message.

If you log into an Elastron account, you may be given the option to change your communication preferences under the relevant section of our website or app. You can always contact us to make us stop sending you marketing-related communications (you can find contact details in the "What Are Your Rights Regarding Your Personal Data" section below).

FOR WHAT LEGAL REASONS DO WE PROCESS YOUR PERSONAL DATA?

We process your personal data within the framework of the following legal reasons regulated in Article 5 of the PPDL, especially the Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Tax Procedure Law No. 213, and the Electronic Commerce Legislation:

Legal Reason

Samples

In cases where we need your explicit consent in accordance with the PPDL and other legislation, we process data based on your consent (we would like to remind you that you can withdraw your consent at any time)

We obtain your consent to carry out our marketing activities.

In any case, permitted by applicable law

Indication of the name of the relevant person on the invoice within the scope of Article 230 of the Tax Procedure Law

When there is an obligation to protect the vital interests of any person

Giving the health information of the board member who fainted in the board of directors meeting to the doctor

Where we need to enter into a contract with you, perform the contract and fulfill our obligations under a contract

Obtaining the customer's bank account details under a contractual relationship with the customer

Fulfilling our legal obligations,

Fulfillment of tax obligations, submission of the information requested as per a court decision to the court

If your personal data has been made public by you

Sending an e-mail to us so that we can contact you, when an employee candidate writes his/her contact information on the website where the job application is collected, using the personal data you have made public through means such as social media channels for the purpose of making it public

When it is necessary for us to process data for the establishment or protection of a right, to use our legal rights and to defend against legal claims brought against us

Keeping/storing documents that may serve as proof/evidence and using them when necessary

In cases where our legitimate interests require, provided that it does not harm your fundamental rights and freedoms.

To maintain the security of our company's communications networks and information, to conduct our corporate activities, to detect and investigate suspicious transactions, to comply with our risk policies, to use storage, hosting, maintenance, and support services, to provide technical and security IT services, to ensure the efficiency of our corporate activities, and to take advantage of cloud technology

 

We would like to emphasize that in cases where your personal data are processed with explicit consent and if you withdraw your explicit consent, you will be removed from the Commercial Membership Program if the processing is required on the basis of the explicit consent and you cannot continue to benefit from the advantages you enjoyed thanks to such processing at the time.

WHEN DO WE SHARE YOUR PERSONAL DATA?

Domestic Transfer of Personal Data

Our company is under the responsibility of acting in accordance with the decisions and related regulations stipulated in the PPDL and taken by the Board regarding the transfer of personal data, primarily as per article 8 of the PPDL. As a rule, personal data and sensitive data belonging to data subjects cannot be transferred to other real persons or legal entities without the explicit consent of the data subject.

In addition, in cases stipulated in Articles 5 and 6 of the PPDL, a transfer is possible without the consent of the person concerned. Our company, in accordance with the conditions set forth in the PPDL and other relevant laws and by taking the security measures set forth in the laws (in the relevant contract if an existing contract has been signed with the data subject), and if provided for in the laws or other relevant laws, may transfer them to third parties and companies under the umbrella of PEC Global.

Overseas Transfer of Personal Data  

Our company can transfer personal data to third parties in Turkey, to be processed in Turkey or outside of Turkey, including outsourcing, or to third parties based overseas, in accordance with the conditions stipulated in the Law and other relevant legislation and by taking the security measures specified in the legislation. In order to carry out our business activities as efficiently as possible and to benefit from the possibilities offered by technology, we transfer your personal data abroad by taking the necessary technical and administrative measures through cloud information technology. Your personal data shall also be transferred to our companies abroad to carry out our business activities and ensure business organization, in accordance with the conditions set forth in the law and other relevant laws and taking the security measures set forth in the laws.

As per Article 9 of the PPDL, we seek the explicit consent of data subjects for the transfer of personal data abroad. However, as per Article 9 of the PPDL, requirements set out in Articles 5/2 or 6/3 of the PPDL must be fulfilled and the country to which data are transferred must:

a) have necessary data safeguarding arrangements in place,

b) and if there is no security arrangement in place, data controllers in Turkey and in the relevant foreign country must undertake in writing an adequate data protection initiative and the Board's consent must be sought, whereby the consent of the data subject is not sought.

In this context, in exceptional cases where no explicit consent is obtained for the above-mentioned transfer of personal data, in addition to the conditions of processing and transfer without consent, sufficient protection will be sought in the country to which the data are transferred in accordance with the PPDL. The Personal Data Protection Board shall decide whether or not adequate protection is provided. In the absence of adequate protection, data controllers both in Turkey and in the respective foreign countries must commit in writing to provide adequate protection and obtain permission from the Personal Data Protection Board.

For service providers whose headquarters are abroad and from which we receive support, please refer to the links below.

Name

Job Title

Address

 Additional Information

Google Ireland Limited

Business applications (e.g. email, document and calendar)

Gordon House, Barrow Street, Dublin 4, Dublin, D04 E5W5

Data centers located in different parts of the world (EU, Chile, Singapore, Taiwan, USA)

https://www.google.com/about/datacenters/inside/locations/index.html

Microsoft Limited

Azure cloud services

Microsoft Campus, Thames Valley Park,

Reading, RG6 1WG, England

   https://azure.microsoft.com/en-us/explore/trusted-cloud/

 

Domestic/Overseas Parties with Whom Data are Shared

We do not share your Personal Data except in special circumstances described here within. People who have access to your Personal Data at Elastron will be limited to those who need to know the information for the purposes defined in this Policy. In order to fulfill the purposes for which your data was collected (for detailed information about these purposes, see the "For what purposes do we use your personal data?" section above), we transfer your Personal Data to the following individuals and institutions:

  1. PEC Global Group Companies: Since we operate under PEC Global group companies, your data are shared with and made accessible to PEC Global group companies based in Turkey with whom we are affiliated. Data sharing is only be made with authorized employees in the relevant PEC Global group company. However, we would like to state that the data sharing we do in general is carried out in a way that does not include personal data within the scope of financial reporting on company activities such as company profitability and efficiency. In some special cases, instead of sharing anonymous information with PEC Global group companies, we may share personal data (such as sharing details about damage to open an insurance damage file). The Data Sharing Agreement regarding the transfer of your personal data between PEC Global group companies was signed and necessary measures were taken.
    In addition, your personal data are also shared with the group companies of Elastron abroad, within the scope of financial reporting on company activities such as company profitability and efficiency. Data sharing is only be made with authorized employees in the relevant Elastron group company. The Data Sharing Agreement regarding the transfer of your personal data among Elastron group companies was signed and necessary measures were taken.
  2. Service Providers: Defines the parties with which our company establishes business partnerships for the purposes of sales, promotion and marketing of our company's products, after-sales support, etc., while carrying out its commercial activities. Like many businesses, we cooperate with reliable third parties such as information and communication technology providers, E-System service consulting firms, consultancy services providers, cargo companies, travel agencies, in order to carry out functions and services in the most efficient and up-to-date technologies within the scope of some data processing activities. We can share data to carry out our activities in this context. This sharing is limited to the purpose of ensuring the fulfillment of the purposes of establishment and performance of the business partnership. We use cloud information technologies in order to carry out the activities of our company in the most efficient way and to benefit from technology at the maximum level, and in this context, we can process your personal data at home and abroad through companies that offer cloud computing services. The marketing services support company we share data with may be established abroad and in this context, as per Articles 8 and 9 of the PPDL, data sharing with overseas parties is carried out in accordance with the respective provisions regarding data sharing with overseas parties.
  3. Public Institutions and Organizations: We may share your personal data with relevant official, judicial and administrative authorities when required by law or when we need to protect our rights. (e.g. Tax offices, notaries, law enforcement, gendarmerie, police departments, courts and enforcement offices).
  4. Private Entities: According to the provisions of the relevant legislation, personal data can be shared for a limited purpose within the remit of private authorities authorized to receive information and documents from our Company (e.g. Occupational Health and Safety Company).
  5. Professional consultants and others: We share your Personal Data with other persons, including professional consultants, in order to provide you with the salary and benefits you are entitled to, to manage company credit card transactions, and to give you a company credit card:
  • Banks
  • Insurance companies
  • Auditors
  • Lawyers
  • Accountants
  • Translation Offices
  • Consultancy Firms from Which we Receive Customs Services
  • Shipping Companies
  • Mediation Offices
  • Airlines
  • Hotels
  • Press
  • Media Agencies
  • Other external professional consultants
  1. Other parties in connection with corporate transactions: In addition, from time to time, we may collect your Personal Data with companies from which we receive services and consultancy in Turkey and abroad, and with other parties in connection with company transactions, such as our customers, subcontractors, suppliers, business partners, during the execution of the contractual and commercial relations established for the execution of the Company's business and activities, to ensure the efficiency and security of our company processes, in the event of any other reorganization/structuring, merger, joint venture or other sale or divestiture of the name, assets or shares of Elastron, during the sale of a company or a particular portion of a company to another company in order to fulfill the commitments made (including bankruptcy or similar proceedings).  

SOCIAL PLUGINS

Our web pages use "social plugins" from social networks, including in particular the "Share" button of the "Facebook" provider on the page facebook.com, operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. Plugins usually have the Facebook logo. In addition to Facebook, we use "Google+" plugins (provider: Google Inc., Amphitheater Parkway, Mountain View, CA 94043, USA), "YouTube" (provider: YouTube LLC, 01 Cherry Avenue, San Bruno, CA 94066, USA) , "Twitter" (provider: Twitter, Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA), "Vimeo" (provider: Vimeo Inc., 555 West 18th Street New York, NY 10011 USA), "LinkedIn" (provider for non-US customers: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland).

We consciously made the decision not to use plugins directly from social networks on our website for privacy reasons. Instead, we use an alternative technical solution that allows you to specify whether and when information is given to operators and such social networks. When you visit our web pages, no information is automatically sent to social networks such as Facebook, Google+, Twitter, or Pinterest. Only when you actively click on the relevant button does your Internet browser connect to the servers of the specified social network. This means clicking on the elements in question and then on the symbol of the social network, which means giving your consent for your Internet browser to communicate with the servers of the social network and send the user data from this network to the operator. We have no influence over the type and scope of data social networks collect. Please refer to the relevant privacy policies of these social networks for the rights and options regarding the purpose and scope of data collection, the processing of data, and its use by the relevant social networks.
Facebook Privacy Policies can be found here. 

More information on data usage for "Google", "Youtube" , "Twitter" , Vimeo or ‘'LinkedIn''  can be found on the privacy policy pages.

Facebook Corporate Products

Elastron may use Facebook advertising services and Facebook Pixel retargeting and communication services from time to time. With Facebook Corporate Products, Elastron aims to offer you ads on Facebook and/or other Facebook-related platforms and to make these ads more relevant to you. The data collected in this way remains anonymous for Elastron, and Elastron cannot access any personal data regarding individuals.

However, the collected data are stored and processed by Facebook. Facebook may associate your Facebook account with your personal data and use this data for its own advertising activities. Facebook has ultimate control over the data collected through Facebook Advertising Services, Facebook Pixel retargeting and communications services. You can change the settings related to Facebook cookie usage and Facebook Pixel retargeting in the settings section of your Facebook account.

For information about retargeting pixels and technologies provided by Facebook, please visit Facebook.

Google Maps

We recommend using Google Maps to show you maps and create directions to make your journey easier. Google Maps is operated by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. These pages were tagged as related.

By using this service, you consent to Google's collection, processing, and use of the information entered by you. Google Maps Terms of Use can be accessed on the Google Help page.

Web analytics with Google Analytics

This website uses Google Analytics, a web analysis service provided by Google Inc. ("Google"). Google Analytics uses "cookies", which are text files that are saved on your computer and analyze your use of the website. The information generated by the cookie about your use of this website (including the abbreviated IP address) is transferred to a Google server in the United States and stored there. Google will use this information to analyze your use of the website, to compile reports on website activity for website operators and to provide further services related to website and Internet usage. Google will also, where appropriate, transfer this information to third parties when legally required or when those parties process this information on Google's behalf. Google will never associate your IP address with your IP address.

You can prevent your information from being used by Google Analytics by installing a plugin on your browser.

Logging

Every time you log into the website, registration information is generated and processed for statistical purposes, which ensures that the user remains anonymous:

  • The reference (the web page from which you accessed this page using the link)
  • Search phrases (if the reference is a search engine)
  • IP analysis is performed to determine the accessed country and provider
  • Browser, operating system, installed plug-ins and screen resolution
  • Time spent on pages
  • The specified data are processed by us for legal purposes based on the PPDL:
  • Ensuring a smooth connection with the web page,
  • Ensuring comfortable use of the web page,
  • Evaluation of system security and stability, and other administrative purposes.

We reserve the right to check this information retrospectively if we become aware of certain signs of illegal use. If it is no longer needed for this purpose, the data will be erased immediately and in any case no later than six months later.

HOW LONG DO WE STORE YOUR PERSONAL DATA?

We retain your personal data only for as long as necessary to fulfill the purpose for which they were collected. We determine these periods separately for each business process, and if there is no other reason to keep your personal data at the end of the relevant period, we destroy your personal data in accordance with the PPDL.

We consider the following criteria when determining the destruction periods for your personal data:

  • The industry-standard periods, in conjunction with the purposes for which the date category is processed by the data controller,
  • The period during which the legal relationship established with the data subject, which requires the processing of personal data in the relevant data category, continues,
  • The period during which the legitimate interest to be obtained by the data controller, depending on the purpose of processing the relevant data category, will be valid in accordance with the law and honesty rules,
  • The period during which the risks, costs and responsibilities arising from the storage of the relevant data category depending on the purpose of data processing will continue legally,
  • Whether the maximum period to be determined is suitable for keeping the relevant data category accurate and up-to-date when necessary,
  • The period during which the data controller is obliged to keep the personal data in the relevant data category due to its legal obligation,
  • The limitation period determined by the data controller for asserting a right related to personal data in the relevant data category.

HOW DO WE DESTRUCT YOUR PERSONAL DATA?

Although the personal data may be processed in accordance with the provisions of the relevant law in accordance with Article 138 of the Turkish Penal Code and Article 7 of the PPDL, it is erased or destroyed, or anonymized at our Company's own discretion or upon the request of the personal data subject in the event that the reasons requiring processing are eliminated.

In this context, the Personal Data Retention and Destruction Policy was prepared. In cases where our company has the right and/or obligation to preserve personal data in accordance with the provisions of the relevant legislation, the right not to fulfill the request of the data subject is reserved. When personal data are processed by non-automatic means, provided that it is a part of a data recording system, a system of physical destruction of personal data is applied while data is being erased/destroyed so that it cannot be used later. When our company agrees with a person or organization to process personal data on its behalf, personal data is securely erased by these people or organizations in a way that cannot be recovered. Our company can anonymize personal data when the reasons that require the processing of personal data in accordance with the law are eliminated.

METHODS OF DESTRUCTING PERSONAL DATA

Erasure of Personal Data

Our company may erase personal data, upon its own decision or upon the request of the personal data subject in case the reasons requiring processing of data no longer apply despite their processing in accordance with the provisions of the relevant law. Erasure of personal data is the process of making personal data inaccessible and non-reusable for the relevant users. All necessary technical and administrative measures are taken by our company to make the erased personal data inaccessible and not reusable for the relevant users.

The Process of Erasing Personal Data

The process to be followed in the erasure of personal data is as follows:

  • Determining what personal data is to be erased.
  • Identifying relevant users for each personal data using an access authorization and control matrix or a similar system.
  • Determining the authorizations and methods of the relevant users such as access, retrieval, and reuse.
  • Deactivating and eliminating the access, retrieval, reuse authorizations/methods of relevant users within the scope of personal data.

Methods of Erasing Personal Data

Data Recording Environment

Description

Personal Data

on Servers

The system administrator removes the access authorization of the relevant users and erases the personal data on the servers if their retention period has expired.

Personal Data in

Digital Environments

Concerning personal data in electronic environments whose retention period has expired, they are rendered inaccessible and non-usable in any way for other employees (related users) except the database administrator.

Personal Data in a Physical Environment

Personal data kept in a physical environment is made inaccessible and non-reusable in any way for other employees, except for the unit manager responsible for the document archive, if its retention period has expired. In addition, it is blotted out by crossing it out/painting/erasing it in a way that makes it illegible.

Personal Data in

Removable Media

Of personal data kept in flash-based storage media, the expired ones are encrypted by the system administrator and the access authorization is given only to the system administrator, and are stored in secure environments with
encryption keys.

 

Since personal data can be stored in various recording media, they must be erased by methods suitable for recording media. Some examples are:

Application Type Cloud Software as a Service (such as Office 365 Salesforce, Dropbox: Data in the cloud system must be erased by way of an erase command. It should be noted that the relevant user does not have the authority to restore the erased data on the cloud system while performing the aforementioned operation.

Personal Data in Paper Form: Personal data in paper form must be erased by blotting out the contents. This is done by cutting out the bits of personal data on a relevant document when possible, and in cases where it is not possible, making it invisible to the relevant users by using ink so that it cannot be read with technological solutions.

Office Files Located on the Central Server: The file must be erased with the erase command in the operating system or the access rights of the relevant user on the file or the directory where the file is located must be removed. While performing the aforementioned operation, it must be ensured that the relevant user is not also a system administrator.

Personal Data in Removable Media: Personal data in flash-based storage media should be stored encrypted and erased using software suitable for these media.

Databases: Relevant rows containing personal data must be erased with database commands (ERASE etc.). While performing the aforementioned operation, it must be ensured that the relevant user is not also a database administrator.

Destruction of Personal Data

Our company may destroy personal data, upon its own decision or upon the request of the personal data subject in case the reasons requiring processing of data no longer apply, despite their processing in accordance with the provisions of the relevant law. Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

Data Recording Environment

Description

Personal Data in a Physical Environment

Personal data in paper form that no longer need to be retained are irreversibly destroyed in paper clipping machines.

Personal Data in Optical / Magnetic Media

Personal data in optical media and magnetic media that no longer need to be retained are
melted, burnt or pulverized. In addition, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.

 

Physical Destruction: Personal data can also be processed in non-automatic ways, provided that they are part of a data recording system. While such data are being erased/destroyed, physical destruction of personal data takes place so that they cannot be used later.   

Secure Removal from Software: While erasing/destroying data processed by fully or partially automated means and stored in digital media, methods are used to erase the data from the relevant software in a way that cannot be recovered again.    

Secure Erasure by an Expert: In some cases, we may hire an expert to erase personal data on our behalf. In such cases, personal data are securely erased/destroyed by a person who is an expert in this field, in a way that they cannot be recovered. 

Blotting out: Making personal data physically unreadable.

Personal Data Destruction Methods

In order to destroy personal data, it is necessary to identify all copies of the data and to destroy them one by one using one or more of the following methods, depending on the type of systems in which the data are located:

Local Systems: One or more of the following methods can be used to destroy data on these systems. i) De-magnetization: It is the process of corrupting the data in an unreadable manner by exposing the magnetic media to a very high magnetic field by passing it through a special device. ii) Physical Destruction: It is the physical destruction of optical media and magnetic media such as melting, burning, or pulverizing. Data are rendered inaccessible by processes such as melting, incinerating, pulverizing, or passing optical or magnetic media through a metal grinder. For solid-state disks, if the overwriting or demagnetization is not successful, this media must also be physically destroyed. iii) Overwriting: It is the process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media. This process is done using special software.

Peripheral Systems: Depending on the type of the environment, the destruction methods that can be used are listed below: İ) Network devices (switches, routers, etc.): The storage media in these devices are fixed. Products often have an erase command but no destroy function. It must be destroyed using one or more of the appropriate methods specified in (a). ii) Flash-based environments: Those with flash-based hard drives having ATA (SATA, PATA, etc.), SCSI (SCSI Express, etc.) interfaces, must be erased using the <block erase> command if supported, or using the manufacturer's recommended destruction method if not supported, or they must be destroyed using one or more of the appropriate methods specified in (a)). iii) Magnetic Tape: These are the environments that store the data on a flexible tape using micromagnetic pieces. They must be destroyed by exposing to very strong magnetic environments and demagnetizing them, or by physical destruction methods such as burning and melting. iv) Units such as magnetic disks: These are media that store data using micromagnetic parts on flexible (disks) or fixed media. They must be destroyed by exposing them to very strong magnetic environments and demagnetizing them or by physical destruction methods such as burning and melting. v) Mobile phones (Sim card and fixed memory areas): There is an erase command in the fixed memory areas of portable smartphones, but most of them do not have a destroy command. They must be destroyed using one or more of the appropriate methods specified in (a). vi) Optical discs: They are data storage media such as CD, DVD. They must be destroyed by physical destruction methods such as burning, breaking into small pieces, melting. vii) Peripherals such as printer, fingerprint door access system with removable data recording media: All data recording media should be verified to be removed and destroyed by using one or more of the appropriate methods specified in (a) according to their characteristics. viii) Peripherals such as printers with fixed data recording medium and fingerprint door access system: Most of these systems have an erase command but no destroy command. They must be destroyed using one or more of the appropriate methods specified in (a).

Paper and Microfiche Media: Since the personal data in these media are permanently and physically written on the media, the main media must be destroyed. While performing this operation, it is necessary to divide the media into small pieces using paper shredders or clipping machines, horizontally and vertically if possible, in such a way that they cannot be reassembled. Personal data transferred from original paper format to electronic media by scanning should be destroyed by using one or more of the appropriate methods specified in (a) according to the electronic environment in which they are located.

Cloud Environment: During the storage and use of personal data in the aforementioned systems, cryptographic methods must be used for encryption, and separate encryption keys must be used for personal data wherever possible for each cloud solution received. When the cloud computing service relationship ends, all copies of the encryption keys required to make personal data usable must be destroyed. In addition to the above media, the destruction of personal data on devices that fail or are sent away for maintenance is carried out as follows: i) Destroying the personal data contained in the related devices before they are transferred to third institutions such as manufacturers, vendors and services for maintenance and repair, by using one or more of the appropriate methods specified in (a),ii) In cases where it is not possible or appropriate to destroy them, the data storage medium should be disassembled and stored, and other defective parts sent to third institutions such as the manufacturer or dealer, iii) Necessary measures must be taken to prevent non-company personnel hired for maintenance and repair work from copying personal data and taking them out of the institution.

Anonymization of Personal Data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even by matching them with other data. Our company can anonymize personal data when the reasons that require the processing of personal data in accordance with the law are eliminated. In order for personal data to be anonymized, personal data must be dissociated with an identified or identifiable natural person, including through the use of appropriate techniques for the recording medium and the particular area of activity, such as the return of the personal data by the data controller or recipient groups and/or matching of the data with other data. Our company takes all necessary technical and administrative measures to anonymize personal data.

As per Article 28 of the PPDL, anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the PPDL and no explicit consent is obtained from the data subject.

Methods of Making Personal Data Anonymous

Anonymization of personal data means that personal data can under no circumstances be traced to an identified or identifiable natural person, even if it is matched with other data.

In order for personal data to be anonymized, personal data must be dissociated with an identified or identifiable natural person, including through the use of appropriate techniques for the recording medium and the particular area of activity, such as the return of the personal data by the data controller or third parties and/or matching of the data with other data.

Anonymization is the removal or changing of all direct and/or indirect identifiers in a data set, preventing the identification of the person concerned, or making them indistinguishable in a group or crowd in a way that cannot be associated with a natural person. Data that do not point to a specific person as a result of these processes are considered anonymized data. In other words, anonymized data are pieces of information that identify a real person until the process, which can no longer be associated with the relevant person as there is no more a connection between the two. The purpose of anonymization is to break the connection between the data and the person identified by this data. All of the dissociation processes carried out by methods such as automatic or non-automatic grouping, masking, derivation, generalization, and randomization applied to the records in the data recording system where personal data are kept are called anonymization methods. The data obtained as a result of the application of these methods must be unable to identify a specific person.

Examples of anonymization methods are described below:

Anonymization Methods That Do Not Ensure Value Irregularity: In methods that do not provide value irregularity, no alteration, addition, or exclusion is applied to the values of the data in the set, instead, changes are made to all of the rows or columns in the set. Thus, while the overall data changes, the values in the fields retain their original state.

Removing Variables

It is an anonymization method whereby one or more of the variables is removed from the table by completely erasing them. In such a case, the entire column in a table will be removed completely. This method can be used when the variable is a higher-order identifier, there is no more appropriate solution, the variable is too sensitive to be made public, or it serves no analytical purpose.

Removing Records

In this method, anonymity is strengthened by removing a row containing singularity in the dataset, and the possibility of generating assumptions about the dataset is minimized. Usually, removed records are those that have no common value with other records and can be easily guessed by those who have an idea about the record. For example, in a dataset with survey results, let us assume only one person from one industry was included in the survey. In such a case, instead of removing the variable "industry" from all survey results, it may be preferable to remove only the record belonging to that person.

Regional Hiding

The purpose of regional hiding is to make the data set more secure and to reduce the predictability risk. If the combination of values for a particular record produces very low visibility and it is likely to make that person distinguishable in the relevant community, the exception value is changed to "unknown".

Generalization

It refers to the process of transforming the relevant personal data from a specific value to a more general value. It is the most commonly used method when creating cumulative reports and during operations performed on totals. The resulting new values represent aggregated values or statistics belonging to a group, which makes it impossible to reach a real person. For example, a person with Turkish ID number 12345678901 buys wet wipes after purchasing diapers on an e-commerce platform. By applying the generalization method in the anonymization process, it can be concluded that xx% of people who buy diapers on the e-commerce platform also buy wet wipes.

Coding of the lower and upper limit

Coding for lower and upper limits is performed by defining a category for a given variable and combining the values within the grouping created by that category. Generally, the low or high values of a given variable are collected and a new definition is made for these values.

Global Coding

The global coding method is a grouping method used in data sets that are not suitable for lower and upper limit coding, do not contain numeric values, or have values that cannot be sorted numerically. It is generally used when certain values are aggregated, making it easier to make predictions and assumptions. Creating a common new group for the selected values will replace all records in the dataset with this new definition.

Sampling

The sampling method involves disclosing or sharing a subset of the data set instead of the entire data set. Thus, not knowing whether an individual known to be in the entire data set is included in the disclosed or shared sample subset reduces the risk of making accurate predictions about individuals. Simple statistical methods are used in determining the subset to be sampled. For example, if a dataset on the demographic information, occupation, and health status of women living in Istanbul is disclosed or shared through anonymization, scanning and estimating the relevant dataset on a woman known to live in Istanbul may be useful. However, if only the records of women with registered addresses in Istanbul are left in the relevant dataset and those with addresses registered in other provinces are excluded from the dataset and anonymized, and the data are disclosed or shared, and since a malicious person accessing the data cannot guess whether the address of a woman she knows to be living in Istanbul is registered in Istanbul, they cannot reliably guess whether the information of this person they know about is contained in the data they hold.

Anonymization Methods That Provide Value Irregularity: Unlike the above methods, methods that provide value irregularity modify existing values to create a bias in the values of the dataset. Since in such cases the values of the records change, the benefit to be gotten from the record should be calculated correctly. Even if the values in the data set change, it is still possible to benefit from the data by ensuring that the overall statistics are not corrupted.

Micro Merging

This method first puts all the records in the dataset into a meaningful order and then divides the entire dataset into a specified number of subsets. Then, by averaging the value of each subset of the determined variables, the value of that subset variable is replaced by the mean value. Thus, the average value of this variable does not change for the entire data set.

Data Exchange

The data exchange method consists of record changes obtained by exchanging values of a subset of variables between pairs selected from the records. This method is mainly used for categorizable variables, and the main idea is to transform the database by changing the values of the variables between individual records.

Noise Addition

This procedure involves additions and exclusions to provide biases of a certain magnitude in a selected variable. This method is mainly applied to data sets that contain numeric values. The distortion applies equally to each value.

Statistical Methods to Strengthen Anonymization

By combining some values in the records with singular scenarios in anonymized datasets, it may be possible to identify the individuals in the records or make assumptions about their personal information.

For this reason, anonymity can be strengthened by minimizing the singularity of records in the dataset by using various statistical techniques in anonymized datasets. The main purpose of these methods is to keep the benefit from the dataset at a certain level while minimizing the risk of compromising anonymity.

K-Anonymity

In anonymized datasets, the fact that the identities of individuals in the datasets can be determined when indirect identifiers are combined with the correct combinations, or personal information about a particular individual can be easily guessed has shaken confidence in anonymization procedures. Based on this, data sets anonymized by various statistical methods had to be made more reliable. K-anonymity is designed to prevent the disclosure of person-specific information with singular characteristics in certain combinations by allowing the identification of more than one person with specific fields in a record. If there is more than one record that belongs to the combinations created by combining some of the variables in a record, the probability of identifying the individuals that match that combination decreases.

L-Diversity

The L-diversity method, developed to address the deficiencies of K-anonymity, takes into account the diversity of sensitive variables corresponding to the same combinations of variables.

T-Proximity

Although the L-Diversity method provides diversity in personal data, there are situations where it does not provide sufficient protection because the method in question does not address the content and sensitivity of personal data. As such, calculating the degree of proximity of personal data and values to each other and anonymizing the dataset by sub-classifying them according to these degrees of proximity is called the T-proximity method.

Choosing the Right Anonymization Method

Our company decides which of the above methods to use by considering the data in hand and taking into account the following characteristics of the data set:

The nature of the data,

The size of the data,

The existence of the data in physical environments,

Diversity of data,

The desired benefit from / the purpose of processing the data,

The frequency of processing the data,

The reliability of the party to which the data will be transferred,

How meaningful the effort to make the data anonymized will be,

The magnitude and scope of the damage that may arise in the event that the anonymity of the data is compromised,

Distribution/centralization ratio of data,

Access authorization control of users to relevant data and

How meaningful the effort to construct and implement an attack that will disrupt anonymity will be.

When anonymizing data, our company checks whether the data in question re-identifies a person, using the information known to be held by other institutions and organizations to which it transmits personal data, or through the use of publicly known data, using contracts and risk analysis.

Anonymity Assurance

When our company decides that personal data should be anonymized instead of erased or destroyed, it takes care that the anonymity cannot be broken by combining the anonymized data set with another data set, that one or more values do not form a meaningful whole to make a record singular, and that the values in the anonymized dataset do not come together to produce an assumption or result. Our company reviews the data sets it has anonymized when the characteristics listed in this article change, and ensures that anonymity is maintained.

Risks of De-anonymization by Reversing Anonymized Data

Since anonymization is applied to personal data to destroy the distinguishing and identifying characteristics of the data set, there is a risk that these processes will be reversed through various interventions and the anonymized data will become identifiable once again. This situation is referred to as de-anonymization. Anonymization processes can only be achieved by manual operations or by automated advanced operations or hybrid operations consisting of a combination of both transaction types. However, it is important that once anonymized data have been shared or disclosed, measures are taken to prevent anonymity from being corrupted by new users who may access or possess the data. Deliberate actions to destroy anonymity are called "attacks to de-anonymize data". In this context, the Company examines whether there is a risk that the personal data anonymized by our company will be reversed by various interventions and that the anonymized data will lead to re-identification of real persons, to decide which appropriate measures must be taken.

HOW DO WE PROTECT YOUR PERSONAL DATA?

In order to protect your personal data and prevent unlawful access, our company will take the necessary administrative and technical measures in accordance with the Guide to the Protection of Personal Data published by the Personal Data Protection Authority, arrange procedures within the company, prepare clarifications and explicit consent texts and, in accordance with Article 12/3 of the PPDL, carry out the controls required to ensure their implementation or outsource services. The results of these audits are evaluated as part of the company's internal processes and necessary activities are carried out to improve the measures taken.

Your personal data mentioned above may be kept in both digital and physical environments by transferring it to the physical archives and information systems of our company and/or our suppliers. The technical and administrative measures to ensure the security of personal data are explained in detail below under two headings.

Technical Measures

We use generally accepted standard technologies and business security practices, including the standard technology called Secure Socket Layer (SSL), to protect the personal information we collect. However, due to the nature of the Internet, unauthorized persons can access information over networks without the necessary security measures. Depending on the current state of technology, the effort required for technological implementation and the type of data to be protected, we take technical and administrative measures to protect your data against risks such as destruction, loss, manipulation, unauthorized disclosure, or unauthorized access. In this context, we conclude data protection agreements with service providers with whom we work. You can find detailed information about these service providers via the relevant fields below.

Name

Job Title

Address

Google Ireland Limited

google.com

Business applications (e.g. email, document and calendar)

Gordon House, Barrow Street, Dublin 4, Dublin, D04 E5W5

Data centers located in different parts of the world (EU, Chile, Singapore, Taiwan, USA)

Microsoft Limited

azure.microsoft.com

Azure cloud services

Microsoft Campus, Thames Valley Park,

Reading, RG6 1WG, England

 

  1. Ensuring Cyber Security: We use cyber security products to ensure personal data security but the technical measures we take are not limited to this. Measures such as firewall and gateway create the first line of defense against attacks from environments such as the Internet. However, almost every software and hardware undergo a series of installation and configuration processes. Considering that some commonly used software, especially older versions, may have documented security vulnerabilities, unused software and services are removed from devices. For this reason, erasing unused software and services is preferred primarily for convenience rather than keeping them up to date. Patch management and software updates ensure that software and hardware function properly and that the security measures taken for the systems are checked regularly.
  2. Access restrictions tag: Access rights to systems containing personal data are restricted and regularly reviewed. In this context, employees are granted access within the scope of their tasks and duties as well as their authority and responsibilities, and are given access to the relevant systems using a user name and password. When creating the aforementioned passwords and passphrases, combinations of uppercase and lowercase letters, numbers, and symbols are preferred instead of numbers or strings of letters that are associated with personal information and are easy to guess. Accordingly, an access authorization and control matrix is created.
  3. Encryption: In addition to using strong passwords and passphrases, other measures include limiting the number of password entry attempts to protect against common attacks such as the use of the brute force algorithm (BFA), ensuring that passwords and passphrases are changed at regular intervals, opening the administrator account and administrator privileges for use only when needed, erasing the accounts or blocking logins without wasting time when an employee is no longer affiliated with the data controller.
  4. Anti Virus Software: As protection against malicious software, products such as antivirus and antispam, which regularly scan the information system network and detect dangers, are used, and these are kept up-to-date and the necessary files are scanned regularly. When personal data is to be retrieved from different websites and/or mobile application channels, connections are made using SSL or a more secure path.
  5. Monitoring Personal Data Security: Refers to reviewing what software and services are running on the information networks, determining if there is infiltration or an action that should not be taking place on the information networks, keeping transaction records of all users (e.g., log records), reporting security issues as soon as possible. Again, a formal reporting process is established so that employees can report security vulnerabilities in systems and services or threats that use them. In case of adverse events such as information system crash, malicious software, denial of service attacks, incomplete or incorrect data entry, breaches of confidentiality and integrity, misuse of the information system, evidence is collected and stored securely.
  6. Ensuring the Security of Environments Containing Personal Data: When personal data are stored on devices located on the premises of data controllers or on paper media, physical security measures are taken against threats such as theft or loss of these devices and papers. Physical environments containing personal data are protected against external risks (fire, flood, etc.) using appropriate methods, and access/egress to these environments is controlled.

When personal data resides in electronic media, access can be restricted between network components or these are segregated to prevent a breach of personal data security. For example, if personal data are processed in this area by restricting it only to a certain part of the network reserved for this purpose, the available resources can be reserved only for the security of this limited area, not of the entire network.

The same level of precaution is taken for paper data in paper/ digital form, and devices located off company premises that contain personal data owned by the Company. Although breaches of personal data security often occur due to theft or loss of devices containing personal data (laptop, cell phone, flash disk, etc.), personal data sent by email or mail is also sent carefully and with appropriate precautions. If employees use their personal electronic devices to access the information system network, appropriate security measures are taken for them as well.

In the event of loss or theft of devices containing personal data, access control permissions and/or encryption procedures are used. Accordingly, the encryption key is stored in an environment that can only be accessed by authorized persons, and unauthorized access is prevented.

Documents in the print form containing personal data are also kept under lock and key, stored in environments accessible only to authorized persons, and unauthorized access to these documents is prevented.

Our company notifies the Personal Data Protection Board and the data subjects as soon as possible when personal data are illegally obtained from others, in accordance with Article 12 of the PPDL. If necessary, the Personal Data Protection Board may announce this situation on its website or by other means.

  1. Storage of Personal Data in the Cloud: If personal data are stored in the cloud, the company should check whether the security measures taken by the cloud storage service provider are sufficient and appropriate. In this context, two-factor authentication is implemented to know in detail what personal data are stored in the cloud in order to secure, synchronize and access this personal data remotely when needed. When personal data are stored and used in the aforementioned systems, it is ensured that it is encrypted using cryptographic methods, that it is sent to the cloud environments in encrypted form, and that individual encryption keys are used for personal data where possible, especially for each cloud solution that is used. When the cloud computing service relationship ends, all copies of the encryption keys required to make personal data usable are destroyed. Access to data storage areas in which personal data are stored is logged, and inappropriate access or attempted access is communicated immediately to the respective parties.
  2. Procurement, development and maintenance of information technology systems: Safety requirements are taken into account when the company determines the need for the supply, development or improvement of existing systems.
  3. Backing Up Personal Data: In cases where personal data are damaged, destroyed, stolen or lost for any reason, the Company uses the secured data to take action as soon as possible. Secured personal data can only be accessed by the system administrator, and record backups are kept off the network.

Administrative Measures

  • All of our company's activities were analyzed in detail for all business areas and, as a result of this analysis, a process-based inventory of personal data processing was created. Risky areas in this inventory are identified and necessary legal and technical measures are taken continuously. (e.g. documents to be prepared under the PPDL were prepared considering the risks in this inventory)
  • Personal data processing activities carried out by our company are audited using information security systems, technical systems and legal methods. Within this framework, policies and procedures are established to ensure the security of personal data and regular checks are carried out.
  • Our Company may, from time to time, receive the services of outside service providers to meet its information technology needs. In this case, transactions are carried out by ensuring that Data Processing external service providers offer security measures equal to those provided by our company. In this case, the following provisions are included in this contract at a minimum level, which is enforced by signing a written contract with the Data Processor:
  •  
    • The Data Processor acts in accordance with the purpose and scope of data processing specified in the Contract, in accordance with the instructions of the Data Controller and in compliance with the PPDL and other laws,
    • Acting in accordance with the Personal Data Retention and Destruction Policy,
    • The Data Processor is subject to an indefinite confidentiality obligation regarding the personal data it processes,
    • In case of any data breach, the Data Processor is obliged to immediately notify the Data Controller,
    • Our Company may perform or make performed the necessary audits on the Data Processor's systems containing Personal Data and may review the reports resulting from the audit, and the on-site service provider company,
    • It may take necessary technical and administrative measures to ensure the security of personal data, and
    • Also, the categories and types of personal data transferred to the data processor will be specified in a separate article, as permitted by the nature of the relationship between us and the data processor.
  • As the Organization emphasizes in its guidance documents and publications, personal data are reduced as much as possible under the data minimization principle, and personal data that are not necessary, obsolete, and do not serve a purpose are not collected, and if they are collected in the period preceding the enactment of the PPDL, they are destroyed in accordance with the Personal Data Retention and Destruction Policy.
  • Expert personnel is employed to handle technical issues.
  • Our Company has included confidentiality and data security provisions in the employment contracts to be signed during the hiring process of its employees and requires employees to comply with these provisions. Employees are regularly informed and trained about Personal Data Protection Law and how to take the necessary measures in accordance with the law. In this context, the roles and responsibilities of employees were reviewed and their job descriptions revised.
  • Technical measures are taken in accordance with technological developments, and the measures taken are regularly reviewed, updated and renewed.
  • Access permissions are restricted and permissions are reviewed regularly.
  • The technical measures taken are regularly reported to the authorized person, the risk factors are reviewed and the necessary technical solutions are sought.
  • Software and hardware solutions including anti-virus systems and firewalls are installed.
  • Backup programs are used to ensure that personal data are stored securely.
  • Security systems for storage areas are implemented, the technical measures taken are regularly reported to the responsible person according to internal controls, the risky problems are re-evaluated and necessary technological solutions are worked out. Files/outputs stored in a physical environment are retained through the agency of related supplier companies and then destroyed in accordance with established procedures.
  • The issue of personal data protection is also taken seriously by the management, and a special committee (Personal Data Protection Committee) was formed to manage and supervise respective activities. A management guideline regulating the working rules of the Company's Personal Data Protection Committee was put into effect detailing the tasks of the committee in question.

A separate policy on the processing and protection of sensitive personal data was drafted and put into effect.

Pursuant to Article 6 of the PPDL, data relating to race, ethnicity, political opinions, philosophical beliefs, religion, sect or other beliefs, dressing style, membership in associations, foundations or trade unions, health, sex life, criminal convictions and security measures, and biometric and genetic data are classified as sensitive data since they carry a risk of victimization or discrimination if processed unlawfully, and the processing of such data has been subjected to more sensitive protective measures.

Our company informs the Data Subjects when collecting sensitive personal data in accordance with Article 10 of the PPDL. Sensitive personal data are processed by taking measures in accordance with the PPDL and carrying out/overseeing the required inspections. As a rule, another condition for the processing of sensitive personal data is the explicit consent of the data subject. Our company offers data subjects the opportunity to express their explicit informed consent, given on a volunteer basis, on a particular subject.

As a rule, our company obtains the express written consent of Data Subjects for the processing of sensitive personal data. However, pursuant to Article 6/3 of the PPDL, the explicit consent of Data Subjects shall not be sought if any of the conditions set forth in Article 5/2 of the PPDL exist. Besides, Article 6/3 of the PPDL stipulates that for the purpose of protecting public health, implementation of preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, personal data related to health and sexual life, may be processed by individuals or authorized institutions without obtaining the explicit consent of the data subject. Regardless of the occasion, the processing operations always take into account the general principles of data processing and ensure compliance with them.

Our company takes special measures to ensure the security of sensitive personal data. Sensitive personal data are not collected, in accordance with the principle of data minimization, unless this is necessary for the respective business process, and are only processed if this is required. In the case of processing of sensitive personal data, necessary technical and administrative measures are taken to comply with legal obligations and to comply with the measures established by the Personal Data Protection Board.

WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?

Pursuant to article 11 of the PPDL, you have the following rights regarding your personal data as data subjects:

  • Finding out whether your personal data are processed by our Company,
  • Request information regarding this if your personal data have been processed,
  • Asking about the purpose of processing your personal data and whether they are used in accordance with the intended purpose,
  • Knowing about the third parties to whom your personal data are transferred, at home or abroad,
  • Requesting correction of your personal data in case of incomplete or incorrect processing and requesting notification of the third parties to whom your personal data have been transferred,
  • Requesting the erasure or destruction of your personal data in the event that the reasons requiring its processing disappear, although they may have been processed in accordance with the provisions of the PPDL and other relevant laws, and requesting notification of the third parties to whom your personal data have been transferred, of the erasure/destruction,
  • Objecting to the emergence of a result against you due to analyzing the processed data exclusively through automated systems,
  • Requesting compensation for the damage you have suffered in case you suffer damage due to unlawful processing of your personal data.

You can send these requests to our Company free of charge, in accordance with the Application Communiqué, using the following method:

  • Fill out the Information Request Application Form, sign it, and send it to Gebze Osb Mahallesi 3200. Cadde No:3201/5 Gebze Kocaeli Pk. 41400 in person (please note you will be asked for proof of ID).
  • Fill out the Information Request Application Form, sign it, and send it to Gebze Osb Mahallesi 3200. Cadde No:3201/5 Gebze Kocaeli Pk. 41400 via a public notary. 
  • Fill out the Information Request Application Form and sign it with an e-signature as per Electronic Signature Law 5070 and email the form to [email protected] using your registered e-mail address.
  • Submitting it in writing using your e-mail address previously notified to our company and registered in our company's system.

The application must contain:

Name, surname, signature if it is a written application, Turkish Citizenship number for Turkish citizens, nationality for foreigners, passport number or identification number, if any, place of residence or workplace address for notifications, e-mail address for notifications, telephone and fax number, subject of the request. Information and documents related to the subject are also attached to the application.

It is not possible for third parties to make a request on behalf of personal data subjects. In order for a person other than the personal data subject to submit an application, a hand-signed and notarized copy of the special power of attorney issued by the personal data subject on behalf of the applicant must be available. For your application to exercise your rights as a personal data subject, the matter you are requesting must be clear and understandable, the subject you are requesting must be related to you or if you are acting on behalf of another person, you must be specifically authorized in this regard and document your authority, the request must include your identity and address information, and documents proving your identity must be attached to the request.

In this context, your applications will be finalized as soon as possible and within 30 days at the latest. These applications are free of charge. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board may be charged.

If the personal data subject sends a request to our company in accordance with the prescribed procedure, our company will process the relevant request free of charge as soon as possible and no later than within thirty days, depending on the nature of the request. However, if the procedure requires separate costs, our company will charge the applicant the fee at the rate set by the Personal Data Protection Board. Our company may request information from the data subject in order to determine whether the applicant is the owner of personal data. Our company may ask questions about the data subject's application in order to clarify the issues in the data subject's application.

In accordance with Article 14 of the PPDL, in cases where your application is rejected by our Company, if you find our response insufficient or if we do not respond to the application in time, you can file a complaint with the Personal Data Protection Board within thirty days from the date you learn about our Company's response, and in any case within sixty days from the date of application.

IN WHAT SITUATIONS CAN DATA HOLDERS NOT ASSERT THEIR RIGHTS?

The data subjects cannot exercise the above rights in these matters, as the following cases are excluded from the scope of the PPDL pursuant to Article 28 of the PPDL:

  • Processing of personal data for purposes such as research, planning and statistics by anonymization with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or in the framework of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy or rights of personality or constitute a criminal offense.
  • Processing of personal data in the course of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  • Processing of personal data by judicial authorities or law enforcement authorities in connection with investigations, prosecutions, judicial proceedings or enforcement proceedings.

Pursuant to Article 28/2 of the PPDLA, data subjects may not exercise their rights other than the right to compensation in the cases listed below:

  • The processing of personal data is necessary for the prevention of a crime or for criminal investigation.
  • Processing of personal data made public by the personal data subject.
  • The processing of personal data is required by authorized public institutions and organizations and professional organizations acting as public institutions for the fulfillment of supervisory or regulatory obligations and for disciplinary investigations or prosecutions based on the powers granted by law.
  • The processing of personal data is necessary for the protection of the economic and financial interests of the State in budgetary, fiscal and financial matters.

MISCELLANEOUS

As explained in detail above, your personal data may be stored and retained, classified for market research, financial and operational processes and marketing activities, updated at different times and to the extent permitted by law, disclosed to third parties and/or suppliers and/or service providers and/or foreign partners within the framework of the law and confidentiality principles;  data can be transferred, stored, processed by reporting, and records and documents can be arranged in electronic or paper form as a basis for the transaction in accordance with the policies to which we are subject and for reasons stipulated by other authorities.

In case of inconsistency between the PPDL and the provisions of other relevant legislation and this Policy, the PPDL and provisions of other relevant legislation will take precedence.

This policy prepared by our company entered into force in accordance with the decision taken by the Elastron Board of Directors.

We would like to remind you that we may make updates to this policy due to changes in our company policies and legislative provisions that may change over time. We will post the most current version of the Policy on our website.

The User(s) irrevocably agrees/agree that they have read this Personal Data Protection Policy before entering the Website, that they will abide by all the points herein, that the contents of the Website and all electronic media and computer records belonging to our company will be considered definitive evidence pursuant to Article 193 of the Code of Civil Procedure.

 

Effective Date:

Version: 1

ATTACHMENT– ABBREVIATIONS

ABBREVIATIONS

Law No. 5651

The Law on the Regulation of Publications on the Internet and Combating Crimes Committed by Such Publications, published in the Official Gazette of May 23, 2007, under number 26530.

Constitution

The Constitution of the Republic of Turkey, dated 9 November 1982 and numbered 2709, published in the Official Gazette of 7 November 1982, under number 17863,

Application Communiqué

Communiqué on the Procedures and Principles of Applying to the Data Controller, published in the Official Gazette of March 10, 2018, under number 30356

Data Subject/Data Subjects or Data Owner

Customers of Elastron and/or group companies with which Elastron is affiliated, corporate customers with whom Elastron has business relationships, business partners, shareholders, officials, prospective employees, interns, visitors, suppliers, employees of institutions with which Elastron cooperates, third parties and not limited to those listed herein, natural persons whose personal data are processed like other persons.

Regulation on the Erasure, Destruction or Anonymization of Personal Data

Regulation on the Erasure, Destruction or Anonymization of Personal Data, which was published in the Official Gazette of 28 October 2017 under numbered 30224 and entered into force as of 1 January 2018

PPDL

Personal Data Protection Law, which entered into force after being published in the Official Gazette of 7 April 2016, under number 29677

PDP Board

Personal Data Protection Board

PDP Authority

Personal Data Protection Authority

a.

article

E.g.

Example

Policy

Elastron's Personal Data Protection and Privacy Policy

Company/ Elastron

Elastron Kimya Sanayi ve Ticaret A.Ş.

Turkish Penal Code

Turkish Penal Code No. 5237, dated September 26, 2004, published in the Official Gazette of October 12, 2004, under number 25611