Clarification Text Prepared Under the Law on Protection of Personal Data (PDPL)
As **Metot Otomotiv A.Ş. (“Company”)**, this Clarification Text on the Protection and Processing of Personal Data has been prepared as the data controller in order to inform personal data owners about the legal boundaries for the purposes of processing and collecting **Personal Data** obtained in accordance with the Law on Protection of Personal Data numbered 6698 (**“Law”**), its protection, storage, use, transfer, deletion, and anonymization in accordance with the Law, and thereby fulfill our disclosure obligation. Accordingly, the purposes for which the Company processes personal data, to whom the processed data can be transferred and for what purposes, our method of collecting personal data and the legal reason, and the rights of the data owner will be detailed below.
As the Company, we aim to comply with the Law by creating all kinds of legal grounds and processes for the protection and processing of personal data and by raising awareness on this issue among all the people we are associated with through this Clarification Text.
PURPOSE AND SCOPE OF THE CLARIFICATION TEXT
It is aimed that all kinds of operations regarding personal data to be carried out by the Company are conducted in accordance with the law and procedure pursuant to the Law on Protection of Personal Data No. 6698 and other relevant legislation.
In this context, this Clarification Text has been prepared for **real customers**, **potential customers**, **Company shareholders**, **Company officials**, **Company employees**, **employee candidates**, **employees, shareholders and officials of the institutions we cooperate with**, **visitors** and all other relevant **third parties** whose personal data will be obtained, recorded, stored, processed, used, transferred or acquired in any way.
Your personal data shared with our Company may be processed within the framework of the personal data processing conditions and purposes specified in Articles 5 and 6 of the PDPL for the purposes of fulfilling the provisions arising from the employment or service contract, the provisions arising from the "Occupational Health and Safety Law No. 6331" and related regulations, customer information, training services, electronic communication processes, supplier workflow and employment processes, in order to provide services related to the Company's fields of activity and to increase the quality of these services and carry out its other activities and comply with the disclosure obligations, ensuring the legal and commercial security of the Company and the people in a business relationship with the Company, ensuring the execution of the Company's human resources policies, determining and implementing commercial and business strategies.
ISSUES CONCERNING THE PROCESSING OF PERSONAL DATA
2.1 General Principles Regarding the Processing of Personal Data
Our Company acts within the framework of the general principles and procedures determined in the Law and other relevant legislation regarding the protection and processing of personal data collected in accordance with the Law. The Company declares and undertakes that it will act in accordance with the following principles in accordance with Article 4 of the Law during the protection and processing of this data:
- The Company will act in accordance with the law and honesty rules in all personal data processing processes and will observe the requirements of the principle of proportionality.
- The Company, as the data controller, will ensure that all personal data it processes is accurate and up-to-date, and will take all necessary measures in this regard.
- The Company, as the data controller, will limit data processing activities only to specific, explicit and legitimate purposes.
- The Company, as the data controller, will process the personal data it obtains only in a manner that is connected, limited and proportionate to the purpose for which it is processed. In this context, personal data can only be processed if it is suitable for the realization of the determined purposes, and these purposes cannot be extended to meet needs that may arise later.
- The Company, as the data controller, will be able to keep all personal data it processes for a period limited to the period stipulated in the relevant legislation or required for the purpose for which it is processed. In this regard, the Company will act in accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the PDPL.
2.2 Conditions Required for the Processing of Personal Data
Personal data collected by the Company in accordance with Articles 1 and 2 of the Law may be processed fully or partially automatically or non-automatically in line with the data owner's **explicit consent** and in accordance with the principles explained in article 2.1 of the Clarification Text. This personal data may be processed without seeking explicit consent if one or more of the conditions specified in Article 5 of the Law exist.
Data containing the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data of individuals constitutes "**special category personal data**" within the scope of the PDPL, and in addition to the obligations stated above, there are special requirements sought by the law regarding the processing of special category personal data and its transfer to third parties and abroad. The Company declares and undertakes that it will act in accordance with the special provisions regulated in the Law in cases of processing special category personal data.
DEFINITION OF PERSONAL DATA AND DATA OWNERS
We have an obligation to inform pursuant to Article 10 of the PDPL, and based on this obligation, we inform and enlighten the data owners with this text about which personal data will be processed by our Companies and for what purposes they are processed.
The personal data processed by our Companies and the target audiences of this data are categorized in the table below.
3.1 Definition of Personal Data
The personal data categorized in the table below may be included in all kinds of processing processes if one or more of the personal data processing conditions explained in Article 2.2 of this Clarification Text exist, in accordance with the PDPL, and in accordance with the principles explained in Article 2.1 of this Clarification Text.
| Processed Personal Data | Description |
|---|---|
| Identity Information | Information regarding the identity of an identified or identifiable real person. Examples of this information include; name-surname, T.R. identity number, identity card information, documents containing this information such as driver's license, passport, marriage certificate, detailed population registration information, residence information, resume information, signature information, tax number, SGK number, vehicle license plate information. |
| Contact Information | Information regarding the contact information of an identified or identifiable real person. Examples of this information include; phone number, e-mail information, address information, fax number, IP address. |
| Location Information | Information that determines the location of employees when using Company vehicles within the scope of the operations carried out by the Company and that belongs to an identified or identifiable real person. Examples of this information include; GPS location, travel data, etc. |
| Information Regarding Family Members and Relatives | Information regarding family members, relatives and other people who can be reached in emergency situations, acquired to protect the interests of data owners. Examples of this information include; name-surname, phone number, etc. of people such as spouse-mother-father-child. |
| Physical Space Security Information | All information regarding the entry, exit and stay of an identified or identifiable real person in the physical areas belonging to our Companies. Examples of this information include; work entry and exit log records, visitor records, camera recordings, fingerprint records and records taken at the security point. |
| Corporate Information | All information regarding an identified or identifiable real person obtained and maintained within the corporate structure of our Companies. Examples of this information include; circular of signature information, company manager and employee information, title information, position information, etc. |
| Financial Information | All information acquired according to the nature of the legal relationship between the identified or identifiable real person and our Companies and that serves to finance this relationship or shows the financial result of this relationship. Examples of this information include; bank name, bank account number, tax identification number, IBAN number, credit card information, asset data, income information, Findeks Report, etc. |
| Visual/Auditory Information | All kinds of photographs and camera recordings, sound recordings, etc., excluding records obtained within the scope of physical space security information regarding an identified or identifiable real person. |
| Document Information | Information belonging to all kinds of documents signed with our Companies regarding an identified and identifiable real person. Examples of this information include; contracts, contract termination notices, additional protocols, court and administrative authority documents, etc. |
| Personnel Information | Information that will constitute the personnel rights of these people regarding an identified or identifiable real person in accordance with the employment contract between the Company and them. Examples of this information include; payroll information, bank receipts, score records, SGK information, fringe benefits information, annual leave-excuse minutes, task change forms, Declaration and consent approval documents, employment contracts, information security commitments, performance evaluation reports and all kinds of information and documents that must legally be included in the personnel file, not limited to those listed. |
| Candidate Information | All kinds of information obtained for the purpose of establishing an employment contract regarding an identified or identifiable real person. Examples of this information include; resume information, interview notes, T.C. Identity number, retirement information, address, phone, e-mail, personality inventory records, etc. |
| Request/Complaint Management Information | All kinds of requests and complaints submitted to the Company and all records regarding their receipt and all reports regarding their evaluation constitute request/complaint management information if they belong to an identified or identifiable real person. |
3.2 Identification of Personal Data Owners
| Personal Data Owners | Explanations |
|---|---|
| Company Employees | Real persons working within the Company pursuant to the employment contract signed between them and our Companies. |
| Employee Candidates | Real persons who have applied for a job to the Company or have delivered their resume information to our Companies in any way. |
| Real Customers | Real persons whose personal data the Company has acquired within the scope of the existing contractual relationship between them and our Companies and all kinds of business relationships of the Company. |
| Potential Customers | Real persons whose personal data the Company has acquired within the scope of all kinds of business relationships of the Company without a contractual relationship between them and our Companies. |
| Company Officials | Members of the Company's board of directors and other real persons authorized to manage within the Company. |
| Employees, Shareholders and Officials of the Institutions We Cooperate With | All relevant real persons, including employees working with a service contract in the institutions with which the Company has all kinds of business relationships, the shareholders and officials of these institutions. |
| Visitor | Real persons who have visited the Company's physical spaces or website, regardless of the purpose. |
| Third Party | All relevant real persons not included in this Procedure. Examples of these people include; guarantor, companion, family members and relatives, former employees, etc. |
| Customer Officials and Employees | Real persons whose personal data the Company has acquired regarding their officials and employees within the scope of the existing contractual relationship between them and our Companies and all kinds of business relationships of the Company. |
PURPOSES OF COLLECTING AND PROCESSING PERSONAL DATA
Personal data obtained from the data owners defined in Article 3.2 of this Clarification Text are collected and processed for the following purposes:
- Within the scope of the service contracts signed with Customers and Business Partners, for the purpose of providing service regarding the performance of the service, operational execution and follow-up, necessary audits and notifications within the scope of the laws that must be complied with in accordance with the Company's fields of activity, execution and follow-up of all necessary transactions related to the services, risk assessment and reporting, execution of contract processes, and planning and execution of operational processes related to the services,
- Fulfilling the obligations arising from the performance of the contract,
- Executing financial, accounting and financial transactions, including invoicing activities for the service provided arising from the contract,
- Being able to carry out evaluation, analysis and risk management studies within legal limits regarding the service to be provided to Customers,
- Managing relations with Customers and Company employees and following corporate management activities,
- Managing and following up customer, Company employee and 3rd party requests and complaints,
- Improving and developing the services offered by our Companies, determining and implementing commercial and business strategies,
- Continuing business and operations, executing Company activities and procedures,
- Carrying out risk management, ensuring business continuity, following contract processes or legal demands,
- Planning information security processes, establishing and managing the information technology infrastructure,
- Ensuring the legal and commercial security of the products and services offered by our Companies and the people in a business relationship with our Companies,
- Planning and following up business carried out with business partners, group Companies or suppliers,
- Following and executing legal processes and communication processes with official institutions,
- Organizing and following up events to be held for Customers,
- Information obtained from potential Customers and employee candidates for the purpose of establishing both service contracts and employment contracts,
- For our Company employees, planning work and performance evaluation processes and business activities within the scope of the established employment contract, making necessary notifications to relevant institutions and organizations, and fulfilling the Company's legal obligations,
will be processed within the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698 for such purposes.
For some specific purposes of processing your personal data, we require you to have given your **explicit consent** under the Law No. 6698. The purposes for which your data may be processed if you have given your explicit consent on any platform are listed below:
- Information regarding the relatives of our Company employees in order to contact them in case of an emergency,
- Information falling within the scope of special category data such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data,
- Information obtained for travel, accommodation and transfer transactions for purposes such as in-company training, activities, organizations;
- Information obtained within the scope of in-company training,
- Information obtained for Employee Portal memberships,
- Information obtained and recorded in Company Systems for the purpose of carrying out in-company transactions
TRANSFER OF PERSONAL DATA
Your collected personal data; for the purpose of realizing the aforementioned Purposes, primarily with its own affiliates and subsidiaries; with our **business partners**, **Customers**, **suppliers**, **Customers**, **audit Companies**, **banks**, **insurance Companies**, **incentive consultancy Companies** and other business partners, affiliates, **third parties** from whom external services are received, legally authorized **public institutions and private persons and institutions** can be shared and transferred abroad within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law No. 6698.
5.1 Third Parties to Whom Personal Data is Transferred and Purposes of Transfer
We have an obligation to inform pursuant to Article 10 of the PDPL, and based on this obligation, we inform and enlighten the data owners with this text about which groups of people the personal data transferred by our Companies are transferred to. The groups of people to whom the personal data transferred by our Companies will be transferred and the purposes for which they will be transferred are categorized in the table below:
| Groups of Persons to Whom Data Can Be Transferred | Explanation Regarding Groups of Persons | Purpose of Data Transfer |
|---|---|---|
| Business Partner | The parties with whom the Company carries out commercial activities under any name. | Data transfer will be provided for the purpose of establishing the business partnership and carrying out the commercial activities subject to this business partnership, and only limited to this purpose. |
| Supplier | The parties that provide any service to the Company based on the service contract between them within the scope of the Company's commercial activities. | Data transfer will be provided for the purpose of obtaining the services necessary to carry out the Company's commercial activities and performing these services, and only limited to this purpose. |
| Shareholders | Real persons who own Company shares. | Data transfer will be provided in accordance with the provisions of the relevant legislation within the scope of the Company's corporate law and corporate communication processes, and only limited to these process activities. |
| Company Officials | Members of the Company's board of directors and other real persons authorized to manage within the Company. | Data transfer will be provided for the purposes of determining the Company's business strategies, ensuring senior management, and conducting necessary audits in accordance with the provisions of the relevant legislation, and only limited to these purposes. |
| Legally Authorized Public Institutions and Organizations and Private Law Persons | Public institutions and organizations and private law persons authorized to request information and documents from the Company pursuant to the provisions of the relevant legislation. | Data transfer will be provided within the framework of the legal authority granted to the relevant public institutions and organizations and private organizations within the scope of the relevant legislation, and only limited to the purpose they request. |
DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
The Company and/or real and legal persons, including the representatives with whom the Company cooperates or authorizes, keep the personal data collected pursuant to Articles 1 and 2 of the PDPL for the period required by the processing purposes stipulated in the legislation and specified in this Clarification Text, provided that the cases where the relevant legislation permits or necessitates the retention of this data for a longer period are reserved, in accordance with Article 138 of the Turkish Penal Code and Article 7 of the PDPL. If the purpose of processing personal data ceases to exist, this data is **deleted, destroyed or anonymized** by the Company **ex officio or upon the request of the data owner.**
OUR OBLIGATIONS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA
7.1. Our Obligations as Data Controller
As the **data controller** we possess pursuant to the PDPL, we have obligations arising from Article 12 of the Law and other relevant legislation; in accordance with these obligations, we take all necessary technical and administrative measures within the scope of our technological capabilities to prevent the unlawful processing of personal data, prevent unlawful access to this data, and ensure the preservation of the data, and we carry out and have carried out the necessary audits in this regard. In the event that the personal data processed by our Companies is obtained unlawfully by third parties, our Companies declare and undertake that they will notify the data owner and the PDPL Board as soon as possible, and that they will create the necessary regulations within the Company's internal structure in this regard.
7.2. Rights of Data Owners pursuant to PDPL Article 11
- To learn whether personal data is processed,
- To request information if personal data has been processed,
- To learn the purpose of processing and whether they are used appropriately for their purpose,
- To know the third parties to whom personal data is transferred,
- To request correction if personal data is incomplete or incorrectly processed, and to request the deletion of this data if the conditions are met, and to request that these transactions be notified to third parties,
- To object to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,
- To request compensation for the damage in case of damage due to unlawful processing of personal data.
Pursuant to the first paragraph of Article 13 of the PDPL, you can send your written request to exercise your rights stated above to the address **Topraklık Mahallesi Gazi Mustafa Kemal Bulvarı No:17 /301 Kat:5 Pamukkale DENİZLİ** with a wet signature or to our registered electronic mail address **info@metototomotiv.com.tr** signed with a secure electronic signature.
In your application; the issue you request must be clear and understandable, the subject must be related to you or if you are acting on behalf of someone else, you must be officially authorized by the official authorities and the authorization must be documented, and it must include identity and address information and documents proving your identity must be attached to the application.
If you submit your requests regarding your Rights within the scope of this Clarification Text by the methods regulated under the heading “Protection of Personal Data” on **info@metototomotiv.com.tr** and the websites, your request will be concluded as soon as possible and within a maximum of **30 (thirty) days**, depending on the nature of the request.
8. AMENDMENTS
The clarification text may be amended due to changes in legislation. When a change occurs, the necessary announcements will be made on our website, and it will be appropriate for you to regularly visit our website to be informed about these changes.