1.PURPOSE

We, as MED MARINE Kılavuzluk ve Römorkör Hizmetleri İnş. San. ve Tic. A.Ş. (“MED MARINE”), give priority to ensuring that the personal data of real persons, including our customers, visitors of our web sites or facilities, our real person suppliers and real person employees of our suppliers, our potential employees, our former employees and current employees (hereinafter all together referred to as the “Individuals”) are processed in compliance with the legislation applicable in Turkey, particularly including the Law no. 6698 on the Protection of Personal Data (hereinafter referred to as the “LPPD”) and the secondary legislation the legal basis of which is the LPPD as well as the decisions of the Personal Data Protection Board, (hereinafter all together referred to as the “Data Protection Legislation”), and that those persons whose personal data are processed can effectively exercise their rights. 

Accordingly, we process, retain and transfer all personal data of the Individuals, i.e. the personal data we obtain during our activities, in accordance with MED MARINE Personal Data Retention and Destruction Policy (the “Policy”).

Protecting the personal data and looking after the fundamental rights and freedoms of the Individuals whose personal data are processed is the primary principle of our policy regarding the processing of personal data. For this reason, all our activities where personal data are processed are being carried out by protecting the rights of privacy, confidentiality of personal information, confidentiality of communication, freedom of thought and belief. For the purposes of protecting personal data, we take all administrative and technical protection measures as required by the nature of the data in compliance with the Data Protection Legislation and the state-of-the-art technology. This Policy describes our methods of processing, retaining, transferring and deleting or anynoymizing the personal data during our human resources, trade, promotion, marketing, security, social responsibility and similar activities in compliance with the principles stipulated in the LPPD no. 6698.

2.SCOPE

This Policy covers all kinds of personal data of the Individuals which are processed by MED MARINE. Our Policy applies to all activities of personal data processing owned or managed by MED MARINE, and is addressed and drafted in consideration of the Personal Data Protection Law and the relevant international standards.

3.DEFINITIONS AND ABBREVIATIONS

This section briefly describes the definitions and abbreviations used in this Policy.

Personal Data: means all kinds of information related to an identified or identifiable real person.

Personal Data Owner (Concerned Person):  means the real person whose personal data is processed.

Processing of Personal Data: means all kinds of processes conducted on personal data such as obtaining, recording, storing, preserving, modifying, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data through wholly or partially automatic means, or through non-automatic means provided that it is part of any recording system.

Data Processor: means a real person or legal entity who processes personal data on behalf of the data controller on the basis of the authority granted by the data controller.

Data Controller: means a real person or legal entity who determines the purposes and means of processing personal data, and is responsible for establishment and management of the data recording system.

Express Consent: means the consent granted for a certain matter based upon the information provided and upon free will, which is express beyond doubt and which is limited only with a specific process.

Anonymisation: means making personal data non-associable with an identified or identifiable real person by any means whatsoever, even by matching with other data.

Employee: means an employee of MED MARINE.

Personal Data of Special Nature: means data related to a person’s race, ethnicity, political view, philosophical belief, religion, religious sect or other beliefs, health, fingerprint, appearance, membership to associations, foundations or syndicates, health, sexual life, criminal conviction and safety precautions as well as biometric and genetic data;

4. ROLES AND RESPONSIBILITIES

4.1 Data Protection Committee

The Data Protection Committee of MED MARINE is responsible for drafting, developing, executing and updating this Policy. It reviews this Policy in terms of its up-to-dateness and requirements for development where necessary. The publication of the prepared document on the corporate portal is the responsibility of the Data Protection Committee.

4.2 The Personal Data in our Possession

The main personal data of the Individuals processed by MED MARINE can be defined as follows.

1. Identity information: e.g. your name, photo, gender, birth date, identity number;
2. National or other identity documents: e.g. your national identity card/passport, information on any visa application, driver’s license, national health system number (or equivalent);
3. Contact information: e.g. your residential address, your personal phone numbers or e-mail addresses, contact information of your emergency contact and/or closest relative;
4. Information on your occupation or job: e.g. your title/position, workplace or workplaces, clauses in your employment contract, performance, evaluation, training and career development records, records of any complaint procedure which you have been involved in, information on holidays/annual leaves you have requested and used, all other vacations you have requested and used, and records of sickness;
5. Information on professional qualifications, achievements and/or skills: e.g. academic/professional qualifications, education, CV/personal background and languages you know. This also includes all qualifications required for your job, for example your driver’s license class or criminal record and/or memberships to professional associations;
6. Financial Data: e.g. bank account information, tax information and information on payments made by MED MARINE to you including wage, bonus, overtime pay and other variable items of payment, expenses and travel allowances given by MED MARINE;
7. Other information required for the management of payments made to or by you: e.g.  information on any loan you have taken out and information on contributions made prior to or through wage/salary payment (for example, membership fee of union) and all kinds of additions to and all kinds of deductions from your income;
8. Information on your use of MED MARINE systems, devices and properties; e.g. the identity of your computer and/or mobile phone or other devices, mobile phone or fixed phone serial numbers, user identity, IP addresses, recording files, software and hardware inventories, data collected for supervising and ensuring the security of the website via cookies, information on access to MED MARINE facilities, call center records and CCTV records;
9. Information on travels and accommodations for business purposes;
10. Health and safety information: e.g. occupational accident records, information on personal injury claims (which affect MED MARINE), medical documents, documents for fitness to work or other professional health reports and results of drug and alcohol tests; and
11. Information on your former and/or potential and/or current employer.

The above-summarized personal data which are in our possession, the purposes and terms of processing, groups of persons whose personal data are processed, recipients to whom the data are transferred, whether any data is transferred to abroad as well as the security measures taken have been formatted within an inventory and recorded by the Data Controller MED MARINE in the Data Controllers Registry Information System (VERBIS). These records are publicly available and can be accessed through https://verbis.kvkk.gov.tr/.

5.LEGAL OBLIGATIONS

Our legal obligations as a Data Controller with respect to the protection and processing of personal data as per the LPPD are listed below:

5.1 Our Obligation to Inform

While gathering personal data, we, as a Data Controller, bear the obligation to inform those individuals whose data are processed regarding the following:

• for which purpose your personal data will be processed
• information on our identity and, if any, our representative
• to whom and for which purpose your processed personal data can be transferred
• our method of gathering data and the legal reason behind it,
• your rights under the law.

As per our obligation to inform, we, as MED MARINE, attach importance to ensuring that this publicly available Policy is clear, understandable and easily accessible.

5.2 Our Obligation to Ensure Data Security

We, as a Data Controller, take the administrative and technical measures stipulated in the Data Protection Legislation in order to ensure the security of the personal data in our possession. In this extent, our obligations include preventing processing of personal data in a way contrary to the law and the company policies/rules and preventing access to personal data in a way contrary to the law and the company rules, retaining and storing personal data under proper conditions, and handling the data destruction process in compliance with the law and the company policies/rules. In case of any breach of rules, we apply the necessary sanctions and internal disciplinary rules.

6. PERSONAL DATA PROCESSING

6.1 Our Principles of Personal Data Processing

• We transparently process personal data in accordance with the rules of good faith by fulfilling our obligation to inform.
• We take the necessary measures in our data processing procedures to ensure that the processed data are accurate and up-to-date. We provide Personal Data Owners with the opportunity to update their existing data and apply to us for the correction of errors in their processed data, if any.
• We, as MED MARINE, process personal data for our legitimate purposes aiming to carry out our activities, the scope and content of which are clearly determined, in line with the legislation and the ordinary course of business.
• We process personal data in a limited and prudent manner in connection with the purpose that we clearly and precisely designate. We refrain from processing personal data which are irrelevant or the processing of which is not required. For this reason, we do not process personal data of special nature unless required by law, or if we are required to process such personal data, we obtain express consent of the relevant persons in this respect.
• The legislation includes a number of regulations which require the storage of various personal data for certain periods. Therefore, we retain the processed personal data for a period stipulated in the relevant legislation or as required for the purposes of processing of the personal data. We delete, destroy or anonymize the personal data when the storage period stipulated in the law expires or when the purpose of processing is no longer available.

6.2 Our Purposes of Personal Data Processing

We process personal data for the purposes below:

• Carrying out our corporate activities
• Ensuring that our legal obligations are fulfilled as required by or stipulated under the legal regulations
• Assessing the job applications
• Contacting the persons who are in a contractual relationship with MED MARINE
• Supporting our employees’ training, improvement and career processes

• Achieving compliance management
• Achieving dealer/supplier management
• Managing call center processes
• Achieving corporate communication
• Protecting our employees’ rights
• Sending out bulletins, performing marketing activities or making notifications via electronic mail
• Ensuring physical and digital media security

 

6.3 Processing of Personal Data of Special Nature

We process personal data of special nature in cases where required under the laws and by taking the administrative and technical measures stipulated by the Personal Data Protection Board or by obtaining express consents of the relevant persons.

6.4 Exceptional Cases Where Express Consent is Not Required for Personal Data Processing

In the exceptional cases specified below, we can process personal data without obtaining express consent from the relevant persons:

• If it is clearly stipulated in the laws.
• If it is required for the protection of the life or physical integrity of the person, who cannot express his/her consent due to an actual impossibility or whose consent is not considered legally valid, or of any other person.
• If it is required to process the personal data of the parties to a contract, provided that it is directly related to the conclusion or fulfillment of the contract.
• If it is required for the data controller to fulfill his/her legal obligation,
• If the relevant person has made the data public,
• If data processing is required for the establishment, exercise or protection of a right,
• If data processing is required for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the relevant person are not damaged.

7.TRANSFER OF PERSONAL DATA

We pay attention to allowing access to personal data only by persons who need such access to perform their tasks and jobs and third persons who have a legitimate purpose for such access. In each and every case where we allow third persons access the personal data, we will apply proper measures to ensure that the data are used in compliance with this policy and the confidentiality and integrity of the data are protected. The personal data we have processes can be recorded within an automatic data processing systems used by MED MARINE to effectively perform its activities, processed, and transferred to abroad within the limitations stipulated in the Data Protection Legislation with the knowledge and express consent of the relevant persons, by legal-entity local and global companies and subsidiaries of MED MARINE as well as service providers in the capacity of data processors bearing the obligation of confidentiality from whom MED MARINE purchases services under a service contract. Your personal data will under no circumstances be disclosed to third person save for those mentioned hereinabove.

Except obligatory cases, data is not transferred by means of portable memory sticks. In obligatory cases, such transfer is made under the supervision of those responsible. Sealed envelopes and lockers are used for the security of the data to be transferred on paper. MED MARINE, as the Data Controller, is responsible for taking the necessary technical and administrative measures in this respect.

8.RETENTION OF PERSONAL DATA

8.1 Retention of personal data for a period as set forth in the relevant legislation or as required in terms of the purpose of processing

MED MARINE is responsible for retaining the personal data for a period required in terms of the purpose of personal data processing, reserving the retention periods stipulated in the legislation. Personal data are retained for a period set forth in the legislation or as required for the purposes for which they were processed. Data are stored in physical (cabinets of departments, archives) or electronic (server, cloud etc.) media. Necessary measures for retention and protection of data are taken and media security is provided by MED MARINE. Importance is attached to maintaining data integrity in all digital and physical storage media. In cases where we process personal data for multiple purposes, data are deleted, destroyed or retain by being anonymized if the purposes for processing such data are no longer available or upon the request of the relevant person unless there is any impediment for the deletion of the data under the legislation. The requirements under the Data Protection Legislation are observed in the destruction, deletion and anonymisation processes.

9.DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA 

9.1 Deletion and Destruction of Personal Data

Personal data are deleted, destructed and/or anonymized, if:

• any amendment is made to the provisions of the Personal Data Legislation,
• the circumstances which require the processing and retention of personal data are no longer available,
• the relevant person does not grant his/her express consent or withdraws his/her consent and this decision is approved by the data controller,
• the maximum period for which personal data should be retained expires,
• the request for destruction of data made through an application to the Personal Data Protection Board is approved by the board.

9.2 Methods Adopted for Deletion and Destruction of Personal Data

The methods used for the deletion and destruction of personal data are specified below. One of the following methods are used according to the manner of retention of personal data.

9.2.1 Destruction of Personal Data Retained as Document;

The responsibility for secure destruction of data retained as document and stored in physical media (cabinets and/or archives) is borne by the managers of the department which has processed such data. Such documents are destructed by being cut, burnt, shredded by means of shredding devices or through similar methods in a way not to allow their being restored or read. For such destruction of the data, support may be received from an expert corporation in the position of data processor.

9.2.2 Deletion of Personal Data Retained in Electronic Media;

The responsibility for secure deletion and destruction of data retained in electronic media is borne by the Information Technologies department. Digitally stored data are deleted in a way not to allow access by those concerned, or destructed in a way not to allow making them reusable. The procedures implemented on data stored in any media, either physical or electronic, and destructed are entered into records by by the Information Technologies department.

10.RIGHTS OF PERSONAL DATA OWNERS

Personal Data Owners have the following rights over their personal data;

• receiving information on whether their personal data are processed or not,
• if their personal data are processed, requesting information on such processing,
• obtaining information on the purpose of processing personal data and whether the processed data is used for this purpose,
• being informed of the third persons to whom the personal data is transferred within and out of the country,
• if the personal data are processed incompletely or incorrectly, requesting their correction,
• if the reasons requiring processing of the personal data are no longer available, requesting the deletion or destruction of the personal data,
• requesting the notification of the above-mentioned correction, deletion or destruction procedures to the third persons to whom the personal data have been transferred,
• objecting to any adverse result arising from the analysis of the processed data solely by means of automatic systems,
• requesting compensation of damages arising from unlawful processing of the personal data.

10.1 Exercise of Rights Related to Personal Data

Each and every relevant person whose data are processed under the instructions of the data controller MED MARINE has the right to make an application to the data controller as per article 13 of the LPPD in order to exercise his/her rights under article 11 of the LPPD. The data controller MED MARINE is obliged to either accept or reject - by explaining the reason of rejection - such application latest within 30 (thirty) days. However, for such application to be considered as a duly made application, it should meet all items stipulated in the Communique on Principles and Procedures for Application to Data Controller.

For the application of any relevant person to be accepted as a valid application:

• it should be submitted in writing and in Turkish language by the relevant person himself/herself by presenting his/her identity card, or
• it should be sent to the registered electronic mail (KEP) address with secure electronic signature or mobile signature, or
• it should be sent by the relevant person through his/her electronic mail address previously notified to MED MARINE and recorded in MED MARINE’s system, or
• it should be sent through a software or an app developed by MED MARINE for the purposes of application.

Besides, for an application to be accepted as a duly made application and be evaluated, it should contain all of the following items.

• Name and surname, and if the application is made in writing, wet signature of the relevant person,
• For Turkish citizens, Turkish ID number; for foreigners, nationality, passport number and, if any, identity number,
• Residential or business address for notification,
• Electronic mail address, phone and fax number for notification, if any,
• Subject of the request of the relevant person.

Accordingly, for the exercise of the rights granted to the relevant persons under article 11 of the LPPD, an application containing all items stipulated in the Communique on Principles and Procedures for Application to Data Controller should be submitted to MED MARINE by means of registered mail with return receipt or application in person or electronic mail by using secure electronic signature through the contact and address details specified in this Policy.

Individuals and other relevant persons may contact the Data Protection Committee through kvkk@medmarine.com.tr for any question or concern regarding this Policy or other personal data protection practices of MED MARINE or for any request regarding their rights.