MENU
EN
Personal Data Protection Policy
Home Corporate Personal Data Protection Policy

SYR PLASTIK OTOMOTIV SANAYI VE TICARET LTD. STI. PERSONAL DATA PROTECTION AND PROCESSING POLICY

INTRODUCTION

This Policy sets forth the principles to be adopted and implemented by SYR Plastik Otomotiv Sanayi ve Ticaret Ltd. Şti. (hereinafter referred to as the "Company") regarding the protection and processing of personal data. The aim of this policy is to establish the framework and coordination for the compliance efforts to be carried out within the Company in line with the Law on the Protection of Personal Data No. 6698 ("KVK Law"). Accordingly, the objective is to continue conducting activities in accordance with the principles of legality, fairness, and transparency, which have been embraced by the Company since its foundation. The Company shall establish the necessary structure, procedures, and processes for KVK Law compliance and implement mechanisms to raise awareness among its employees and business partners.

SCOPE

This Policy applies to all personal data that is processed wholly or partially by automated means, or by non-automated means provided that it is part of a data recording system, and relates to individuals other than our Company employees. Detailed information about personal data subjects is available in Annex 2 of this Policy (Annex 2 – Personal Data Subjects).

PURPOSE OF USE

The purpose of this Policy is to ensure the adoption of key regulations required for compliance with the KVK Law across the Company. It serves as a guide for implementing the rules established by the KVK Law and related legislation. The Company will carry out internal arrangements, raise awareness among its employees and business partners, and implement internal audit mechanisms to ensure continued compliance. In this context, this Policy provides guidance on how to concretely apply the provisions stipulated in the KVK Law and relevant regulations. The Company shall make the necessary internal arrangements for compliance with this Policy, conduct regular audits to ensure compliance, and ensure the continuity of alignment. Within the Company, all necessary administrative and technical measures will be taken in line with the principles outlined in this Policy for the processing and protection of personal data. Internal systems will be established to ensure awareness among employees, adaptation processes will be implemented for new employees, and necessary notifications and warnings regarding this matter will be issued to the Company’s business partners.

PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA

A priority for the Company is to act in accordance with the general principles set forth in legislation when processing personal data. In this context, the Company must act in accordance with the following principles when processing personal data, as stipulated by the Constitution and the KVK Law:

2.1. Lawfulness and Fairness

Pursuant to Article 4 of the KVK Law, the Company shall process personal data lawfully and fairly, ensuring that the data is accurate, kept up to date when necessary, collected for specific, explicit and legitimate purposes, and processed in a manner that is adequate, relevant, and limited to what is necessary in relation to the purposes. The Company must also ensure proportionality and avoid using the data beyond its intended purpose.

2.2. Accuracy and Up-to-Date

The Company must ensure that the personal data it processes is accurate and up to date by taking into account the fundamental rights of the data subjects and its own legitimate interests. Necessary precautions must be taken and systems must be established for this purpose.

2.3. Processing for Specific, Explicit, and Legitimate Purposes

The Company must process personal data for legitimate and lawful reasons. The data must be processed in connection with and limited to the activities carried out by the Company. The purpose for which the data is processed must be determined before processing begins.

2.4. Relevance, Limitation, and Proportionality

Personal data must be processed in a manner that is relevant, limited, and proportionate to the purpose. The Company must avoid processing data that is not necessary or not related to the intended purpose. Data should not be processed for potential future needs.

2.5. Storage Limitation

In accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the KVK Law, personal data must be retained only for the period stipulated by applicable laws or necessary for the purpose for which they were collected. If a retention period is defined in legislation, it must be followed. If not, the data should be retained only as long as needed for the stated purpose and should be deleted, destroyed, or anonymized once that period ends. Data should not be kept merely because it might be needed in the future.

2.6. Legal Grounds for Processing

As a rule, personal data must be processed in accordance with one or more of the legal grounds specified in Article 5 of the KVK Law. The Company must identify whether its processing activities meet these conditions, and if not, such activities must be terminated. All processing activities must also comply with the principles outlined in Article 4 of the KVK Law and in sections 2.1 to 2.5 of this Policy. Processing of sensitive data and transfer to third parties or abroad must also follow special provisions under the KVK Law.

2.7. Data Transfer Requirements

2.7.1. Domestic Transfers

The Company must ensure that all personal data, including sensitive personal data, is transferred to third parties in compliance with data processing purposes and with appropriate security measures in place. Necessary processes must be established in accordance with Article 8 of the KVK Law.

2.7.2. International Transfers

Currently, the Company does not transfer personal data abroad. However, if such transfer becomes necessary in the future, appropriate security measures must be taken. Data may only be transferred to foreign countries declared by the KVK Board to have adequate protection or, in the absence of such, to countries where both data controllers provide written guarantees and obtain permission from the KVK Board, pursuant to Article 9.

2.7.3. Transfer of Sensitive Personal Data

Sensitive personal data may be transferred only under the conditions described in this Policy, with necessary administrative and technical measures in place:

  • (i) Sensitive data other than health and sexual life may be processed without explicit consent if clearly stipulated by law. Otherwise, explicit consent is required.

  • (ii) Data concerning health and sexual life may be processed without consent only by persons or institutions bound by confidentiality obligations, and only for public health, preventive medicine, diagnosis, treatment, care services, or planning and management of healthcare services and financing. Otherwise, explicit consent is required. Such data may be transferred to countries with adequate protection or, in the absence of such, to countries where the data controller has committed to ensuring adequate protection and has received KVK Board approval.