KAYMAKÇILAR CASTING AND INDUSTRY JOINT STOCK COMPANY
PERSONAL DATA PROTECTION AND PROCESSING POLICY
Target Audience:
All natural persons whose personal data are processed by Kaymakçılar Casting and Industry Joint Stock Company.
Prepared by:
Kaymakçılar Casting and Industry Joint Stock Company – Personal Data Protection Committee
Version: 2.0
Approved by:
Kaymakçılar Casting and Industry Joint Stock Company
1. INTRODUCTION
Kaymakçılar Casting and Industry Joint Stock Company (“KAYMAKÇILAR”) attaches great importance to the protection of personal data and considers it one of its primary priorities in all its activities.
The Kaymakçılar Personal Data Protection and Processing Principles (“Principles”) constitute the main regulation to ensure the compliance of KAYMAKÇILAR’s organizational structure and business processes with the procedures and principles set out in the Law on the Protection of Personal Data No. 6698 (“Law”).
In accordance with these Principles, KAYMAKÇILAR processes and protects personal data with a high level of responsibility and awareness and ensures transparency by informing data subjects accordingly.
1.1 Purpose
The purpose of these Principles is to ensure that the procedures and principles stipulated by the Law and other relevant legislation are effectively implemented by harmonizing them with the organization and processes of KAYMAKÇILAR.
To this end, KAYMAKÇILAR takes all necessary administrative and technical measures, establishes the required internal procedures, enhances awareness, and provides training to ensure full understanding of data protection responsibilities.
All necessary steps are taken to ensure compliance of relevant individuals with the provisions of the Law, and effective control and audit mechanisms are established within the organization.
1.2 Scope
These Principles cover all personal data obtained within KAYMAKÇILAR’s business processes — whether electronically or through non-electronic means — as long as they are part of any data recording system.
This includes the Data Categories and Personal Data (Annex-1) and the Purposes of Personal Data Processing (Annex-2) attached to this Policy.
1.3 Legal Basis
These Principles are based on the Law No. 6698 and other relevant legislation.
Personal data are processed to fulfill legal obligations arising from, among others:
- the Industrial Registry Law No. 6948,
- the Law No. 4703 on the Preparation and Implementation of Technical Legislation Regarding Products,
- the Turkish Standards Institute (TSE) Establishment Law No. 132,
- the Law No. 6502 on the Protection of Consumers,
- the Identity Notification Law No. 1774,
- the Labor Law No. 4857,
- the Occupational Health and Safety Law No. 6331,
- the Social Insurance and General Health Insurance Law No. 5510,
- the Unemployment Insurance Law No. 4447,
- the Turkish Commercial Code No. 6102,
- the Tax Procedure Law No. 213,
and other applicable legal regulations.
In cases where inconsistencies arise between the current legislation and these Principles, the provisions of the legislation in force shall prevail.
Regulatory provisions required by law are incorporated into KAYMAKÇILAR’s internal practices through these Principles.
1.4 Definitions
| Term | Definition |
|---|---|
| Recipient Group | The category of real or legal persons to whom personal data may be transferred by the data controller. |
| Explicit Consent | Consent that is related to a specific subject, based on information, and given by free will. |
| Anonymization | Rendering personal data impossible to associate with an identified or identifiable natural person, even by matching it with other data. |
| Employee | Personnel of the Personal Data Protection Authority. |
| Electronic Environment | Environments in which personal data can be created, read, modified, and written by electronic devices. |
| Non-Electronic Environment | All physical, written, printed, or visual environments other than electronic ones. |
| Service Provider | A real or legal person providing services to the Personal Data Protection Authority under a specific contract. |
| Data Subject (Related Person) | A natural person whose personal data is processed. |
| Authorized User | Persons within the data controller’s organization or acting on behalf of the controller under authority, excluding those responsible solely for technical data storage and backup. |
| Destruction | The deletion, destruction, or anonymization of personal data. |
| Law | Law No. 6698 on the Protection of Personal Data. |
| Data Recording Environment | Any environment where personal data is processed automatically or manually as part of a data recording system. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Personal Data Processing Inventory | The detailed inventory that explains processing purposes, categories, transfer groups, storage periods, and security measures associated with the processing of personal data. |
| Processing of Personal Data | Any operation performed on personal data, whether automated or not, such as collection, storage, alteration, transmission, disclosure, or destruction. |
| Board | The Personal Data Protection Board. |
| Special Categories of Personal Data | Data on race, ethnic origin, political opinions, religion, sect, association or union membership, health, sexual life, criminal record, biometric and genetic data. |
| Periodic Destruction | The recurring process of deleting, destroying, or anonymizing personal data when processing conditions no longer exist. |
| Policy | The Personal Data Retention and Destruction Policy. |
| Data Processor | A real or legal person who processes personal data on behalf of the data controller based on authorization. |
| Data Recording System | A structured system where personal data is processed according to specific criteria. |
| Data Controller | The person or entity determining the purposes and means of processing personal data and responsible for establishing and managing the data recording system. |
| Data Controllers Registry Information System (VERBIS) | The online information system managed by the Authority for the registration of data controllers. |
| Regulation | The Regulation on Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette on 28 October 2017. |
2. PROCESSING OF PERSONAL DATA
2.1. Lawful Processing of Personal Data
Personal data are processed in accordance with the following principles and within the framework of the legislation.
i. Processing in Accordance with the Law and the Principle of Good Faith
Personal data are processed only to the extent required by business processes, in a manner that is limited to these purposes, does not harm the fundamental rights and freedoms of individuals, and complies with the law and the principle of good faith.
ii. Ensuring Accuracy and Up-to-Date Data
Necessary measures are taken to ensure that the processed personal data are accurate and up to date. All processing activities are carried out in a planned and systematic manner to maintain data accuracy and currency.
iii. Processing for Specific, Explicit, and Legitimate Purposes
Personal data are processed only for legitimate purposes determined and announced within the scope of the business processes carried out by KAYMAKÇILAR.
iv. Processing Limited, Relevant, and Proportionate to Its Purpose
Personal data are collected to the extent required by the nature of the business processes and processed in a limited and proportionate manner in line with the specified purposes.
v. Retention for a Limited Period of Time
Personal data are retained only for the minimum period required by the relevant legislation and for the purpose for which they are processed.
If a specific retention period is stipulated in the legislation, that period is observed; otherwise, data are retained for as long as necessary to fulfill the processing purpose.
At the end of the retention period, personal data are destroyed (deleted, erased, or anonymized) in accordance with periodic destruction timelines or upon a data subject’s request, using appropriate methods.
2.2. Conditions for Processing Personal Data
Personal data may be processed with the explicit consent of the data subject or based on one or more of the following legal grounds:
i. Processing Personal Data Without Explicit Consent
Personal data may be processed without the explicit consent of the data subject in any of the following cases:
a. Explicitly Stipulated by Law
If the processing of personal data is clearly regulated by law, data may be processed without the consent of the data subject.
b. Inability to Obtain Consent Due to Actual Impossibility
If it is impossible to obtain the consent of the person concerned, or such consent cannot be legally validated, and processing is necessary to protect the life or physical integrity of the data subject or another person, personal data may be processed.
c. Processing Necessary for the Conclusion or Performance of a Contract
If the processing of personal data is directly related to the establishment or performance of a contract to which the data subject is a party, the data may be processed.
d. Fulfillment of a Legal Obligation
If the processing of personal data is necessary for KAYMAKÇILAR to fulfill its legal obligations, personal data may be processed accordingly.
e. Public Disclosure of Personal Data by the Data Subject
Personal data made public by the data subject may be processed in accordance with the purpose of disclosure.
f. Processing Necessary for the Establishment, Exercise, or Protection of a Right
If data processing is necessary for the establishment, exercise, or protection of a right, personal data may be processed.
g. Processing Necessary for Legitimate Interests
Provided that it does not harm the fundamental rights and freedoms of the data subject, personal data may be processed when it is necessary for the legitimate interests of KAYMAKÇILAR.
ii. Processing Personal Data Based on Explicit Consent
In cases where none of the above-mentioned conditions apply, the processing of personal data is carried out with the explicit consent of the data subject.
2.3. Processing of Special Categories of Personal Data
KAYMAKÇILAR processes special categories of personal data in compliance with the Law and these Principles, by taking all necessary administrative and technical measures determined by the Personal Data Protection Board, and according to the following conditions:
- When it is explicitly stipulated by law,
- When processing is necessary to protect the life or physical integrity of a person who cannot give consent due to actual impossibility,
- When the data have been made public by the data subject and are processed in accordance with their disclosure intent,
- When processing is necessary for the establishment, exercise, or protection of a right,
- When processing is necessary to fulfill obligations related to employment, occupational health and safety, social security, social services, and social assistance.
In cases other than those listed above, the explicit consent of the data subject is obtained before processing.
2.4. Informing the Data Subject and Obtaining Explicit Consent
KAYMAKÇILAR informs personal data subjects, in accordance with applicable legislation, about the purposes for which their personal data are processed, to whom and for what purposes their data may be transferred, the methods of collection, the legal basis for processing, and the rights they possess regarding their personal data.
For this purpose, KAYMAKÇILAR has prepared specific Information Notices (Annex-3) for each process, including:
- Customer Information Notice (Annex 3.1)
- Supplier Information Notice (Annex 3.2)
- Employee Information Notice (Annex 3.3)
- Candidate Employee Information Notice (Annex 3.4)
- Website Cookie Information Notice (Annex 3.5)
- Camera Information Notice (Annex 3.6)
- Card-Based Employee Tracking Information Notice (Annex 3.8)
The explicit consent of the personal data owner or the owner of special categories of personal data is obtained only after they have been informed through the respective information notice, ensuring that their consent is freely and knowingly given.
2.5. Transfer of Personal Data
i. Transfer of Personal Data Within Turkey
In line with the purposes of personal data processing, and by taking necessary security measures, KAYMAKÇILAR may transfer personal data within Turkey to real persons or private legal entities, shareholders, suppliers, or authorized public institutions and organizations.
Such transfers are carried out lawfully, proportionately, and in accordance with the Table of Personal Data Transfers and Purposes (Annex-4).
To ensure data confidentiality and prevent data breaches, Corporate Confidentiality Agreements (Annex-5) are signed with the receiving parties.
ii. Transfer of Personal Data Abroad
Currently, KAYMAKÇILAR does not transfer personal data abroad.
However, if an international data transfer becomes necessary, it will be carried out in accordance with the following principles:
- If there is an adequacy decision regarding the recipient country, sector, or international organization, data transfer may take place.
- In the absence of such a decision, appropriate safeguards (such as Binding Corporate Rules, Undertakings, or Standard Contracts) must be provided, ensuring the data subject can exercise their rights and access legal remedies effectively in the recipient country.
If there is neither an adequacy decision nor an appropriate safeguard, personal data may be transferred abroad only on an exceptional basis, provided that one of the following conditions is met:
- The data subject has given explicit consent after being informed of potential risks,
- The transfer is necessary for the performance of a contract between the data subject and the controller, or for pre-contractual measures taken at the data subject’s request,
- The transfer is necessary for the conclusion or performance of a contract in the interest of the data subject between the controller and another person,
- The transfer is necessary for important public interests,
- The transfer is necessary for the establishment, exercise, or protection of a right,
- The transfer is necessary to protect the life or physical integrity of a person who cannot give consent due to actual impossibility,
- The data are transferred from a public register that is open to the public or accessible by persons with a legitimate interest, provided the legal conditions for access are met.
Except where international agreements stipulate otherwise, if a data transfer abroad would seriously harm the interests of Turkey or the data subject, such transfer shall be made only with the permission of the Personal Data Protection Board and after obtaining the opinion of the relevant public authority.
3. PERSONAL DATA PARAMETERS AND INVENTORY
KAYMAKÇILAR processes personal data within the scope of its management, administrative (human resources and personnel), financial (accounting), production, quality, planning, sales and marketing, warehouse, purchasing, logistics, and IT (outsourced) processes.
The categories of data subjects whose personal data are processed include:
- Employees,
- Shareholders/partners,
- Potential customers or service recipients,
- Supplier representatives,
- Product or service recipients, and
- Visitors.
All these categories of personal data are processed for purposes related to the specific data processing purposes determined by KAYMAKÇILAR.
The details of the purposes of processing according to data categories and groups of data subjects are reported to the Personal Data Protection Authority (VERBİS) system, accessible at https://verbis.kvkk.gov.tr under the KAYMAKÇILAR profile.
KAYMAKÇILAR conducts all personal data processing activities in accordance with the Personal Data Processing Inventory (Annex-6).
All information notices, explicit consent forms, and related documentation are prepared based on this Inventory.
Whenever there is any change in personal data categories, data subjects, or processing purposes, the Inventory is promptly updated to ensure accuracy and compliance with the Law.
4. MEASURES FOR THE PROTECTION OF PERSONAL DATA
KAYMAKÇILAR, in accordance with the procedures and principles defined by the Law No. 6698 on the Protection of Personal Data, takes all necessary technical and administrative measures to ensure the protection of the personal data it processes.
These measures are detailed in the Personal Data Retention and Destruction Policy (Annex-7).
Within this framework, KAYMAKÇILAR performs regular audits, implements awareness and training programs, and adopts security mechanisms to protect personal data against unauthorized access, loss, alteration, or unlawful disclosure.
In the event that personal data, despite all technical and administrative precautions taken, are obtained by unauthorized third parties through unlawful means, KAYMAKÇILAR immediately implements its Personal Data Breach Response Plan (Annex-8).
KAYMAKÇILAR ensures that its employees receive training on data protection at the start of employment and at least once a year thereafter.
Employees are required to sign the Personal Data Protection Training Attendance Form (Annex-9) as proof of participation in these training sessions.
To reinforce employees’ awareness regarding the confidentiality of personal data, KAYMAKÇILAR requires them to sign the Employee Confidentiality Commitment (Annex-10).
Additionally, to remind employees of the rules they must follow regarding information security, the Employee Information Security Awareness Declaration (Annex-11) is signed annually by each employee.
Periodic data protection audits are conducted using the KVKK Audit Document (Annex-12).
Any deficiencies identified during these audits are promptly corrected and documented.
Video Surveillance and Monitoring Practices:
KAYMAKÇILAR uses security cameras only in areas and at times necessary to ensure workplace safety.
The number of cameras, their locations, and the monitoring times are determined in a way that meets security needs without infringing upon individuals’ privacy or exceeding the legitimate purposes of surveillance.
5. RETENTION AND DESTRUCTION OF PERSONAL DATA
KAYMAKÇILAR retains personal data for the duration necessary to fulfill the purposes of processing and for the minimum period required by the relevant legislation.
If a specific retention period is stipulated under the applicable legislation, KAYMAKÇILAR complies with that period.
If no such legal duration is specified, personal data are retained only for as long as necessary to fulfill the purpose for which they were collected and processed.
At the end of the determined retention period, personal data are destroyed in accordance with periodic destruction schedules or upon the request of the data subject, using one of the following secure methods:
- Deletion,
- Destruction, or
- Anonymization.
All retention and destruction activities are carried out in line with the Personal Data Retention and Destruction Policy (Annex-7).
Through this policy, KAYMAKÇILAR ensures that personal data are:
- Processed and stored lawfully,
- Retained only for the required period, and
- Permanently deleted, destroyed, or anonymized in a secure and verifiable manner once the purpose of processing no longer exists.
6. RIGHTS OF DATA SUBJECTS AND THE EXERCISE OF THESE RIGHTS
6.1. Rights of the Data Subject
Pursuant to Article 11 of Law No. 6698, data subjects have the following rights regarding their personal data:
i. To learn whether personal data are being processed,
ii. To request information if their personal data have been processed,
iii. To learn the purpose of personal data processing and whether they are used in accordance with this purpose,
iv. To know the third parties in the country or abroad to whom personal data have been transferred,
v. To request correction of personal data if they are incomplete or inaccurately processed and to request notification of such correction to third parties to whom the data have been transferred,
vi. To request the deletion or destruction of personal data within the framework of the conditions set forth in the Law and to request that third parties to whom the data have been transferred be informed of this action,
vii. To object to the occurrence of a result to the detriment of the data subject by means of analysis of the processed data exclusively through automated systems,
viii. To demand compensation for the damage incurred due to the unlawful processing of personal data.
6.2. Exercising the Rights of the Data Subject
Data subjects may submit their requests concerning the rights listed in section 6.1 to KAYMAKÇILAR in accordance with the methods determined by the Personal Data Protection Board.
Data subjects—or their legal representatives authorized to act on their behalf—may complete and submit the “Data Subject Application Form (Annex-13)” to KAYMAKÇILAR through the channels specified in the form.
6.3. Responding to Applications
KAYMAKÇILAR evaluates and finalizes all duly submitted requests from data subjects in accordance with the Law and related legislation.
All valid applications are concluded as soon as possible and within thirty (30) days at the latest, free of charge.
However, if fulfilling a request incurs additional costs, KAYMAKÇILAR may charge the applicant a fee based on the tariff determined by the Personal Data Protection Board.
6.4. Rejection of the Data Subject’s Request
KAYMAKÇILAR may reject a data subject’s request by providing justification in the following cases:
i. When personal data are processed for research, planning, or statistical purposes after being anonymized through official statistics,
ii. When personal data are processed for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, and does not constitute a crime,
iii. When personal data are processed by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order, or economic security, within the scope of preventive, protective, and intelligence activities,
iv. When personal data are processed by judicial authorities or enforcement bodies for investigation, prosecution, trial, or execution purposes,
v. When personal data processing is necessary for the prevention of crime or criminal investigation,
vi. When the data subject has made the data public personally,
vii. When personal data processing is required for auditing or regulatory purposes by authorized public institutions or professional organizations with public institution status, or for disciplinary investigation or prosecution,
viii. When data processing is necessary for protecting the State’s economic and financial interests in relation to budget, tax, and financial matters,
ix. When the data subject’s request may prevent the rights and freedoms of other persons,
x. When the request requires disproportionate effort, or
xi. When the requested information is already publicly available.
6.5. Right to File a Complaint with the Personal Data Protection Board
In cases where:
- The application is rejected,
- The response is deemed insufficient, or
- No response is provided within the legal time limit,
the data subject may file a complaint with the Personal Data Protection Board (KVK Board) within thirty (30) days from the date of learning the response, and in any case within sixty (60) days from the application date.
6.6. Additional Information Requests from the Applicant
KAYMAKÇILAR may request additional information from an applicant to verify whether the individual making the request is indeed the data subject.
If necessary, KAYMAKÇILAR may also ask questions to clarify the issues raised in the data subject’s application.
7. EXECUTION
These Principles, together with their annexes, have been approved and enacted by the Board of Directors of KAYMAKÇILAR.
The Board of Directors is responsible for ensuring the execution and, when necessary, the updating of these Principles.
The KAYMAKÇILAR Personal Data Protection Committee is responsible for overseeing all activities within this scope, including monitoring, coordination, and audit processes.
The duties, authorities, and working procedures of the Committee are defined in the “Internal Directive of the Personal Data Protection Committee” (Annex-14).
8. ENFORCEMENT AND PUBLICATION
These Principles entered into force on 01.07.2025.
Any amendments to the Principles will be published on KAYMAKÇILAR’s official website
(www.kaymakcilar.com.tr) to ensure accessibility for data subjects and all relevant individuals.
The amendments take effect as of the date of publication on the website.
ANNEXES
Annex 1 – Data Categories and Personal Data
Annex 2 – Purposes of Personal Data Processing
Annex 3 – Privacy Notices
- Annex 3.1 – Customer Privacy Notice
- Annex 3.2 – Supplier Privacy Notice
- Annex 3.3 – Employee Privacy Notice
- Annex 3.4 – Job Applicant Privacy Notice
- Annex 3.5 – Website Cookie Privacy Notice
- Annex 3.6 – Camera Privacy Notice
- Annex 3.7 – Transport Delivery Note Privacy Notice
- Annex 3.8 – Card-Based Employee Tracking Privacy Notice
Annex 4 – Recipients of Personal Data and Purposes of Data Transfer
Annex 5 – Corporate Confidentiality Agreement
Annex 6 – Personal Data Processing Inventory
Annex 7 – Personal Data Retention and Destruction Policy
Annex 8 – Personal Data Breach Response Plan
Annex 9 – Personal Data Protection Training Attendance Form
Annex 10 – Employee Confidentiality Undertaking
Annex 11 – Employee Information Security Awareness Statement
Annex 12 – KVKK Audit Form
Annex 13 – Data Subject Application Form
Annex 14 – Internal Directive of the Personal Data Protection Committee
ANNEX 1 – PURPOSES OF PERSONAL DATA PROCESSING
KAYMAKÇILAR processes personal data for the following purposes, in accordance with the principles and obligations stipulated by the Law on the Protection of Personal Data No. 6698 (KVKK) and other relevant legislation:
| Purposes of Personal Data Processing |
|---|
| Protection of public health, preventive medicine, medical diagnosis, treatment and care services |
| Execution of Emergency Management Processes |
| Execution of Information Security Processes |
| Execution of Recruitment / Internship / Student Selection and Placement Processes |
| Execution of Candidate Application Processes |
| Execution of Employee Satisfaction and Engagement Processes |
| Fulfillment of Employment Contracts and Legal Obligations for Employees |
| Execution of Employee Benefits and Side Rights Processes |
| Execution of Audit / Ethical Activities |
| Execution of Training Activities |
| Execution of Access Authorization Processes |
| Execution of Activities in Compliance with Legislation |
| Execution of Finance and Accounting Affairs |
| Ensuring Physical Space Security |
| Execution of Assignment Processes |
| Execution and Follow-up of Legal Affairs |
| Execution of Internal Audit / Investigation / Intelligence Activities |
| Execution of Communication Activities |
| Planning of Human Resources Processes |
| Execution and Supervision of Business Activities |
| Execution of Occupational Health and Safety Activities |
| Receiving and Evaluating Suggestions for Improvement of Business Processes |
| Execution of Business Continuity Activities |
| Execution of Logistics Activities |
| Execution of Procurement Processes for Goods / Services |
| Execution of Sales Processes for Goods / Services |
| Execution of Production and Operational Processes for Goods / Services |
| Organization and Event Management |
| Execution of Performance Evaluation Processes |
| Execution of Advertising / Campaign / Promotion Processes |
| Execution of Risk Management Processes |
| Execution of Archiving and Record Retention Activities |
| Execution of Contract Processes |
| Follow-up of Requests / Complaints |
| Execution of Supply Chain Management Processes |
| Execution of Wage Policy Processes |
| Ensuring the Security of Data Controller Operations |
| Execution of Talent / Career Development Activities |
| Provision of Information to Authorized Persons, Institutions, and Organizations |
| Execution of Management Activities |
ANNEX 2 – DATA CATEGORIES AND PERSONAL DATA
| Data Categories | Personal Data |
|---|---|
| Identity Information | Name, Surname |
| Mother’s and Father’s Name | |
| Date of Birth | |
| Place of Birth | |
| Marital Status | |
| ID Card Serial Number | |
| Turkish ID Number | |
| Passport Number | |
| Temporary Turkish ID Number | |
| Gender Information | |
| Patient Tracking Number | |
| Driver’s License Information | |
| Contact Information | Address |
| E-mail Address | |
| Correspondence Address | |
| Registered E-Mail Address (KEP) | |
| Telephone Number | |
| Location Information | Location data such as physical location or positioning information |
| Personnel Information | Payroll Information |
| Disciplinary Investigation Details | |
| Employment Entry–Exit Records | |
| Resume / CV Information | |
| Legal Transaction Information | Information contained in correspondence with judicial authorities, court files, or similar legal documents |
| Customer Transaction Information | Invoice Details |
| Check / Bill Information | |
| Entry–Exit Logs | |
| Appointment Information | |
| Physical Space Security | Employee and Visitor Entry–Exit Records |
| CCTV Footage (Camera Recordings) | |
| Transaction Security Information | IP Address Information |
| Internet Access Logs | |
| Password and Login Information | |
| Risk Management Information | Information processed for management of commercial, technical, and administrative risks |
| Financial Information | Balance Sheet Details |
| Financial Performance Information | |
| Credit and Risk Information | |
| Bank Account Number | |
| IBAN Number | |
| Professional Experience | Diploma Information |
| Courses Attended | |
| In-Service Training Details | |
| Certificates | |
| Marketing Information | Purchase History, Surveys, Cookie Data, Campaign Participation Details, and similar marketing-related information |
| Visual and Audio Records | CCTV Recordings, Audio Recordings |
| Health Information | Disability Information |
| Blood Type | |
| Personal Health Details | |
| Information on Used Medical Devices or Prosthetics | |
| Laboratory and Imaging Results | |
| Test Results | |
| Criminal Convictions and Security Measures | Information on Criminal Convictions, Security Measures, or similar records |
ANNEX 4 – RECIPIENTS OF PERSONAL DATA AND PURPOSES OF DATA TRANSFER
KAYMAKÇILAR, in accordance with Articles 8 and 9 of the Law on the Protection of Personal Data No. 6698 (KVKK), may transfer the personal data of its participants, customers, and employees to the categories of recipients listed below.
| Recipients of Data Transfer | Description | Purpose and Scope of Data Transfer |
|---|---|---|
| Natural Persons or Private Legal Entities | Individuals or legal entities with whom KAYMAKÇILAR conducts business relations or transactions | Limited to the purpose of performing the relevant business or transaction |
| Authorized Public Institutions and Organizations | Public institutions and organizations legally authorized to request information and documents, such as the Social Security Institution (SGK), Tax Offices, etc. | Limited to the purpose requested by the legally authorized public institution or organization |
| Shareholders | Company shareholders / partners | Limited to matters related to their areas of activity within the company |
| Suppliers | Institutions or organizations providing goods and services to the company | Limited to matters related to their business activities and contractual obligations |
| Business Partners | Institutions or organizations engaged in partnership with the company in its operational activities | Limited to matters related to their areas of collaboration and activity |
ANNEX 5 – CORPORATE CONFIDENTIALITY AGREEMENT
1. PARTIES
This Corporate Confidentiality Agreement (“Agreement”) is entered into between:
Kaymakçılar Casting and Industry Inc.(“KAYMAKÇILAR” or “Data Controller”)
Address: Başkent Organized Industrial Zone, 16th Street No:17, Malıköy/Sincan/Ankara
and the undersigned Employee / Supplier / Business Partner / Contractor (“Counterparty”).
2. PURPOSE OF THE AGREEMENT
The purpose of this Agreement is to ensure the protection, confidentiality, and lawful processing of all personal data and confidential information obtained, accessed, or learned by the Counterparty during its relationship with KAYMAKÇILAR, in compliance with the Law on the Protection of Personal Data No. 6698 (KVKK) and related regulations.
3. DEFINITIONS
- Confidential Information: All non-public data, documents, business plans, customer information, employee data, and personal data that are accessed or obtained in any form (written, verbal, electronic, etc.).
- Personal Data: Any information relating to an identified or identifiable natural person, as defined under the KVKK.
- Processing of Personal Data: Any operation performed on personal data, such as collection, recording, storage, alteration, disclosure, or transfer.
4. CONFIDENTIALITY OBLIGATIONS
The Counterparty undertakes to:
- Protect and keep confidential all personal data and corporate information obtained from KAYMAKÇILAR.
- Use such information only for the purposes of performing its contractual or professional obligations.
- Not disclose or transfer personal data to any third party without the prior written consent of KAYMAKÇILAR.
- Take all technical and administrative measures necessary to prevent unauthorized access, alteration, or destruction of personal data.
- Immediately inform KAYMAKÇILAR of any suspected or actual breach of confidentiality or data security.
5. RETURN OR DESTRUCTION OF INFORMATION
Upon the termination of the contractual or professional relationship, or at any time upon request by KAYMAKÇILAR, the Counterparty must immediately return or irreversibly destroy all copies, documents, and media containing personal or confidential information.
6. LIABILITY
The Counterparty acknowledges that any breach of this Agreement may constitute a violation under the KVKK and relevant laws, and accepts full legal and financial responsibility for any damages, administrative fines, or sanctions resulting from such a breach.
7. TERM AND TERMINATION
This Agreement enters into force on the date of signature and remains valid indefinitely, even after the termination of the contractual relationship, to the extent permitted by law.
8. GOVERNING LAW AND JURISDICTION
This Agreement shall be governed by the laws of the Republic of Turkey.
Any disputes arising under or in connection with this Agreement shall be subject to the exclusive jurisdiction of the Ankara Courts and Enforcement Offices.
9. EFFECTIVE DATE AND SIGNATURES
This Agreement has been executed in two (2) copies, one for each party, and entered into force on the date of signature.
| For Kaymakçılar Casting and Industry Inc. | For the Counterparty |
|---|---|
| Name–Surname: __________________________ | Name–Surname: __________________________ |
| Title: __________________________ | Title: __________________________ |
| Signature: __________________________ | Signature: __________________________ |
| Date: ____ / ____ / ______ | Date: ____ / ____ / ______ |
ANNEX 6 – PERSONAL DATA PROCESSING INVENTORY
1. PURPOSE
This inventory has been prepared in accordance with the Law on the Protection of Personal Data No. 6698 (KVKK) and the Regulation on the Data Controllers Registry, in order to document all personal data processing activities carried out by Kaymakçılar Casting and Industry Inc. (“KAYMAKÇILAR”).
It provides a structured framework describing which data are processed, for what purposes, based on which legal grounds, and to whom they are transferred.
2. SCOPE
This inventory covers all processing activities related to:
- Employees, employee candidates, interns, and visitors,
- Customers, suppliers, and business partners,
- Authorized public institutions and private entities with whom KAYMAKÇILAR interacts,
- All personal data collected, processed, stored, or transferred by any department of KAYMAKÇILAR.
3. STRUCTURE OF THE INVENTORY
Each data processing activity within KAYMAKÇILAR is mapped according to the following parameters:
| Parameter | Description |
|---|---|
| Data Category | The classification of personal data processed (e.g., identity, contact, health, financial, etc.). |
| Data Subject Group | The group of individuals whose personal data are processed (e.g., employees, suppliers, customers, visitors). |
| Processing Purpose | The reason for processing personal data (e.g., HR management, legal obligations, contract execution). |
| Legal Basis | The specific legal ground under Articles 5 and 6 of the KVKK authorizing processing. |
| Data Recipient | The individuals or entities to whom personal data may be transferred (e.g., public institutions, business partners). |
| Retention Period | The duration for which personal data are stored, either as prescribed by law or based on business needs. |
| Technical and Administrative Measures | The safeguards implemented to ensure data confidentiality, integrity, and availability. |
| Destruction Method | The process used for data deletion, destruction, or anonymization once the retention period expires. |
4. DATA PROCESSING AREAS
KAYMAKÇILAR processes personal data within the following business areas and systems:
- Human Resources (employee records, payroll, attendance, training)
- Production and Quality Control (workplace safety records, access logs, camera monitoring)
- Sales and Marketing (customer contact data, proposals, contracts)
- Procurement and Logistics (supplier details, delivery records)
- Finance and Accounting (billing, tax, and banking information)
- IT and Security (system access logs, network monitoring, backups)
5. UPDATES AND REVISION
- This inventory is reviewed annually or whenever significant changes occur in data processing activities, business structure, or legal requirements.
- All departments must immediately notify the KVKK Committee of any new personal data processing activity.
- Updates are recorded in the VERBIS (Data Controllers Registry Information System) under KAYMAKÇILAR’s official registration.
6. DATA PROTECTION RESPONSIBILITY
The KAYMAKÇILAR Personal Data Protection Committee is responsible for ensuring that:
- All entries in the inventory remain accurate and up to date,
- Personal data processing aligns with the KVKK and company policies,
- Necessary technical and organizational measures are implemented,
- Staff members are trained and informed about data protection obligations.