CLARIFICATION TEXT ON THE PROTECTION AND PROCESSING OF PERSONAL DATA FOR BUSINESS PARTNERS AND PROSPECTIVE BUSINESS PARTNERS

Dear Our Partners and Prospective Partners,

As MET-GUN – EZE – ATIS NAMED PARTNERSHIP, with the title of “Data Controller” (hereinafter referred to as “Data Controller”);

In our company, within the framework of the purpose that requires their processing and in a limited and measured manner in connection with this purpose, we hereby inform you that the personal data you have notified to us will be recorded, stored, preserved, reorganized, shared with the institutions authorized by law to request this personal data and transferred to domestic or foreign third parties, transferred, classified and processed in other ways listed in the PDPL under the conditions stipulated by the PDPL.

 

1- Your Personal Data Processed

Our company, which is the data controller, may collect and process some personal data within the scope of the Personal Data Protection Law No. 6698, which entered into force on April 7, 2016.

Accordingly, our business partners or prospective business partners may request the name, surname, e-mail address, telephone number and other contact information of the company to which they are affiliated, the company’s field of activity, the name, surname, e-mail address, telephone number and other contact information of the authorized person or employee, depending on the nature of the business.

During the business development processes and the performance of the work, all personal data collected and processed about our business partners or candidate business partners and the people working within them or who are partners/authorized people of the companies in question are transferred to the relevant units to the extent stipulated and permitted by the Law, as detailed below.

 

2- Our Personal Data Collection Method and Legal Reason

Your personal data is collected by the Data Controller through the channels listed below and in physical and electronic environments as follows, within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the Personal Data Protection Law No. 6698, for the purpose of implementing and executing the Data Controller’s business development policies:

  • Through information and documents transmitted to the data controller by our business partners or prospective business partners and the people who work within them or who are partners/authorized people of such companies via e-mail, cargo, reference and similar methods,
  • Through all kinds of communication channels, including correspondence, text messages and multimedia messages sent via electronic mail addresses, information forms and other communication methods,
  • Through reference people,
  • Through the data controller’s employees or the employment or consultancy companies they work for,
  • Through research conducted by the data controller through the internet or other channels.


3- Purpose of Processing Your Personal Data

Within the scope of the purposes specified in this disclosure text by the Data Controller, the personal data of our business partners or candidate business partners and the people who work within or are partners/authorized people of the companies in question may be collected and processed within the scope of the following:

  • To be able to apply as needed for business development or for the execution of existing business
  • To get a price offer for the works to be done
  • To discuss the details of the quotation received
  • To create a repository of companies,
  • If necessary, to check the accuracy of the information transmitted by our business partners or prospective business partners and the people working within them or who are partners/authorized people of the companies in question, or to contact third parties and conduct research on the offers transmitted,
  • To meet the requirements of any legislation or the requests of any authorized institution or organization,
  • To develop and improve business execution and acceleration processes


4- Principles Regarding the Processing of Your Personal Data

 

4.1. Processing of Personal Data in Compliance with the Principles Stipulated in the Legislation

Personal data obtained by the Data Controller is processed within the framework of the procedures and principles stipulated by the Law and other legal regulations. These principles are as follows:

  • Compliance with the Law and Good Faith
  • Ensuring that Personal Data is Accurate and Up to Date When Necessary
  • Processing for Specific, Explicit and Legitimate Purposes
  • Being relevant, limited and proportionate to the purpose for which they are processed
  • Retention for the Period Stipulated in the Legislation or Required for the Purpose for which they are Processed

 

4.2. Processing of Personal Data of General Nature

Article 5 of the Law regulates the conditions for processing personal data. In order to process personal data, at least one of these conditions must be met. It is also possible for the personal data processing activity to meet more than one condition. Article 6 of the Law regulates the condition for processing special categories of personal data. The processing conditions of the personal data of the Employee Candidate are listed as follows:

  • Explicit Consent of the Personal Data Owner
  • Being explicitly stipulated in the law
  • Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility
  • Direct Relevance to the Establishment or Performance of the Contract
  • Fulfillment of Legal Obligation
  • Publicization of Personal Data by the Personal Data Owner
  • Data Processing Necessary for the Establishment or Protection of a Right
  • Mandatory Data Processing for the Legitimate Interest of the Data Controller


4.3. Processing Sensitive Personal Data

Article 6 of the Law regulates the conditions for processing special categories of personal data.

Sensitive personal data are processed by the Data Controller in accordance with the principles set out in this Clarification Text and by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:

Processing of sensitive personal data, however one or more of the following conditions should be present:

  • Explicit consent of the person concerned,
  • If clearly stipulated in the laws,
  • Where a person is unable to express consent due to actual impossibility or where consent is not legally valid, it is necessary to protect the life or physical integrity of that person or another individual.
  • Being related to the personal data made public by the data subject and being in accordance with the will of the data subject to make it public,
  • The necessity for the establishment, exercise, or protection of a right,
  • It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by people under the obligation to keep secrets or authorized institutions and organizations,
  • It is mandatory for the fulfillment of legal obligations in the areas of employment, occupational health and safety, social security, social services and social assistance,
  • Foundations, associations, and other non-profit organizations or entities established for political, philosophical, religious, or trade union purposes may, subject to compliance with the applicable legislation and their objectives, be limited to their areas of activity, and provided that they are not disclosed to third parties, be directed toward their current or former members and affiliates or people who are in regular contact with these organizations and entities.

Processing of special categories of personal data is prohibited except in these cases listed in the Law.

In the processing of special categories of personal data, adequate measures determined by the Board must also be taken.

 

5- Disclosure to Our Business Partners or Prospective Business Partners, or to Individuals Working Within Their Organization or Who Are Partners/Authorized Representatives of the Companies in Question

In accordance with PDPL, the data controller or an authorized person is obligated to provide the following information to the relevant individuals during the collection of personal data:

  • Identity of the data controller and its representative, if any,
  • The purpose for which personal data will be processed,
  • To whom and for what purposes processed personal data may be transferred,
  • The method and legal grounds for collecting personal data,
  • To provide information on other rights listed in Article 11 of the Law.


The Data Controller fulfills the necessary disclosure obligation during the acquisition of personal data and aims to maintain a transparent data processing policy.

 

6- To Whom and for What Purpose Your Personal Data Will Be Transferred

According to Article 8 of Personal Data Protection Law No. 6698, personal data cannot be transferred without the explicit consent of the relevant person. Personal data may be transferred to third parties without explicit consent in cases where it can be processed without the explicit consent of the personal data owner. Accordingly, personal data may be transferred without seeking the explicit consent of the data subject if one of the conditions specified in Article 5/2 of the PDPL is present.

Special categories of personal data may be transferred without seeking the explicit consent of the data subject, provided that adequate measures are taken, if one of the conditions specified in Article 6/3 of PDPL is present.

The provisions of other laws regarding the transfer of personal data are reserved.

According to Article 9 of the PDPL, titled “Transfer of Personal Data Abroad,” personal data cannot be transferred abroad without the explicit consent of the relevant person, as a rule. However, personal data may also be transferred abroad if certain conditions are met in cases where personal data can be processed without explicit consent.

Personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 exists and there is a qualification decision on the country, sectors within the country or international organizations to which the transfer will be made.

In the absence of an adequacy decision, personal data shall be transferred provided that one of the conditions specified in Articles 5 and 6 exists and the data subject has the opportunity to exercise his/her rights and to apply for effective legal remedies in the country of transfer,

  • Existence of an agreement that does not constitute an international contract between public institutions and organizations or international organizations abroad and public institutions and organizations or professional organizations in the nature of public institutions in the Republic of Türkiye, and the Board’s authorization of the transfer,
  • The existence of binding corporate rules containing provisions on the protection of personal data, which are approved by the Board and to which companies within a group of undertakings engaged in joint economic activities are required to comply,
  • Existence of a standard contract announced by the Board, including data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data,
  • Existence of a written undertaking containing provisions to ensure adequate protection and authorization of the transfer by the Board,

Data may be transferred abroad by data controllers and data processors if one of the assurances is provided by the parties.

The standard contract shall be notified to the Authority by the data controller or data processor within five business days of its signature.

Data controllers and data processors may transfer personal data abroad only in exceptional circumstances, provided that one of the following conditions is met, in the absence of an adequacy decision and where none of the appropriate safeguards referred to above can be provided:

  • The data subject’s explicit consent to the transfer, provided that he/she is informed about the possible risks.
  • The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject.
  • The transfer is mandatory for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.
  • The transfer must be necessary for an overriding public interest.
  • The transfer of personal data is necessary for the establishment, exercise, or defense of a legal claim.
  • Where a person is unable to express consent due to actual impossibility or where consent is not legally valid, the transfer of personal data is mandatory to protect the life or physical integrity of that person or another individual.
  • Transfer from a public registry or a registry open to people with a legitimate interest, provided that the conditions required by the relevant legislation for accessing the registry are met and the person with a legitimate interest requests it.

The safeguards provided for in Law No. 6698 are also ensured by the data controller and data processors with regard to subsequent transfers of personal data transferred abroad and transfers to international organizations, and the provisions of Article 9 are applied.

The provisions of other laws regarding the transfer of personal data abroad are reserved.

Your personal data processed in accordance with the above-mentioned regulations may be transferred to the categories of people listed below:

  • Business partners,
  • Company officials,
  • Legally authorized public institutions and organizations,
  • It may be transferred to legally authorized private law people limited to the personal data processing conditions and purposes specified in Articles 8 and 9 of PDPL No. 6698.

 7- Retention Period of Your Personal Data

While determining the retention period of personal data, the obligations imposed by legal regulations are taken into consideration. Apart from legal regulations, the retention period is determined by considering the purposes of processing personal data. After the period mentioned herein has expired, your personal data will be deleted, destroyed and/or anonymized by the Data Controller or upon your request by the methods within the scope of the Law on the Protection of Personal Data, the relevant regulations and the Data Controller’s data retention and destruction policy.

The personal data processed by the Data Controller of our business partners or candidate business partners and the people who work within them or who are partners/authorized people of the companies in question are stored for the duration of the contract and for 15 years from the end of the contract for our business partners, and the information of our candidate business partners and the people who work within them or who are partners/authorized people of the companies in question is stored for three years from the date of acquisition. In the event that a business relationship cannot be established with the people in question, such data will be deleted, destroyed and/or anonymized by the methods within the scope of the Data Controller’s data retention and destruction policy.

You can withdraw your consent to the processing of personal data other than data that must be processed by law at any time.

 

8- Your Rights as a Personal Data Owner

Within the scope of Article 11 of the PDPL, you have the following rights regarding your personal data:

  • Learning whether your personal data is being processed,
  • Requesting information if your personal data has been processed,
  • Learning the purpose of processing personal data and whether they are used for their intended purpose,
  • Learning the third parties to whom personal data are transferred domestically or abroad,
  • Requesting correction of personal data in case of incomplete or incorrect processing,
  • If the reasons requiring the processing of your personal data ceases to exist, request the deletion or destruction of the data.
  • Request that the third party to whom your personal data has been transferred be notified of any information that has been corrected or deleted at your request, if it has been transferred.
  • Objecting to the occurrence of a result to your detriment by analyzing your processed data exclusively through automated systems,
  • Demanding compensation of the damage in case you suffer damage due to unlawful processing of your personal data.

In order to exercise your rights mentioned above, you can send your written request with the necessary information identifying your identity and your explanations regarding the right you want to exercise to “Huzur Mah. Ayazağa Cad. Metgün Binası No:2/2 Sarıyer / İstanbul” address with wet signature clearly stating that the subject is related to PDPL, you can send it by hand, through a notary public or by other methods specified in Law No. 6698. Applications must be made in Turkish.

 

This is an English translation. In case of any difference in meaning between the original Turkish text and the English translation, the Turkish text shall apply.