Bien Yapı Ürünleri Sanayi Turizm ve Ticaret Anonim Şirketi (“Bien” or the “Company”) attaches utmost importance to the processing of personal data in compliance with the applicable legislation, and to ensuring the confidentiality and security of such data. Bien processes personal data within the limits mandated by the Law on the Protection of Personal Data No. 6698 (“Law” or “KVKK”), secondary regulations issued thereunder, and the decisions of the Personal Data Protection Board.
This Policy has been drawn up by the Company, in its capacity as Data Controller, for the purposes of fulfilling the disclosure obligation stipulated under Article 10 of the Law and informing data subjects as transparently as possible regarding their rights set forth in Article 11 of the Law.
This Policy covers all personal data of Bien employees, employees’ family members, employee candidates, reference persons, supplier employees, supplier representatives, customers and other third persons that are processed fully or partially by automated means or by non-automated means as part of any data recording system.
This Policy provides general information regarding all personal data processing activities. Separate Information Notices (Clarification Texts) are prepared for activities involving specific personal data processing, and data subjects are informed accordingly. Information on the personal data processed, the purposes of processing, the collection method and legal grounds, and the recipients and purposes of transfers is provided in the Information Notices prepared separately for each data subject group.
Bien has adopted the following principles as a working standard to ensure that personal data is processed and protected in accordance with the procedures and principles set forth primarily in Article 20 of the Constitution, the Law No. 6698 on the Protection of Personal Data, secondary regulations, and the decisions of the Personal Data Protection Board.
Personal data may be processed by Bien in accordance with the principles set forth in Article 4 of the Law and the procedures and principles stipulated in other relevant legislation.
Compliance with the law and the rules of good faith:
Bien takes into account the reasonable expectations of data subjects and processes the minimum amount of data necessary without going beyond the purpose of data processing. It pays attention to ensuring transparency of data processing activities for the data subject and fulfills its obligation to inform.
Being accurate and up to date where necessary:
Bien attaches importance to the accuracy and currency of personal data. Where necessary, data is updated and its accuracy is verified.
Processing for specified, explicit, and legitimate purposes:
Personal data is processed for clear, specific, and legitimate purposes. Bien does not process personal data for any purpose other than those communicated to the data subject.
Being relevant, limited, and proportionate to the purposes for which they are processed:
Bien restricts its data processing activities to data that is sufficient and necessary for the realization of the relevant purpose. It avoids processing data that is not suitable or not needed for achieving the intended purpose.
Being stored for the period laid down by relevant legislation or required for the purpose for which the personal data is processed:
In accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the Law, Bien retains the personal data it processes only for the period stipulated in the relevant legislation and laws or for the period required for the purpose of processing. In this context, the Company first determines whether a specific retention period is prescribed in the relevant legislation for the personal data subject to processing. If a statutory period is stipulated, such period is complied with. If no statutory period is stipulated, a period necessary for achieving the purpose of processing is determined, and personal data is stored only for this period. At the end of the determined retention period or upon the request of the data subject, personal data is destroyed by Bien using destruction methods it determines (deletion and/or destruction and/or anonymization).
Your personal data may be collected by automated or non-automated methods during physical visits to our Company premises, through camera recordings, call recordings, our business units, verbal communication, physical delivery, paper-based media, contracts, information collection forms, e-mail, registered e-mail (KEP), fax, telephone, our website and similar channels, verbally, in writing, or electronically. For as long as you benefit from Bien’s services, your personal data may be processed and, where necessary, updated to ensure its accuracy and currency.
Pursuant to Article 5(1) of the Law, personal data cannot be processed without the explicit consent of the data subject as a rule. Explicit consent is obtained by informing the data subject and based on their free will.
However, within the scope of Article 5(2) of the Law, personal data may be processed without seeking explicit consent of the data subject if one of the following conditions applies:
Explicitly stipulated by laws:
If there is an explicit provision in the law regarding the processing of personal data, such personal data may be processed without obtaining the data subject’s consent.
Impossibility of obtaining consent due to actual impossibility:
Where it is impossible to obtain the consent of the data subject whose consent cannot be given validity or who is incapable of expressing consent due to actual impossibility, and processing is necessary for the protection of the life or physical integrity of the data subject or another person, personal data of the data subject may be processed.
Being necessary for the establishment or performance of a contract:
Provided that it is directly related to the establishment or performance of a contract, personal data belonging to the parties of the contract may be processed if necessary for such purposes.
Being necessary for the data controller to fulfill its legal obligation:
Personal data of the data subject may be processed if processing is necessary for the data controller to fulfill its legal obligations.
Personal data made public by the data subject:
Personal data that has been made public in any way by the data subject and thus made available to everyone may be processed, limited to the purpose of making it public.
Being necessary for the establishment, exercise or protection of a right:
Personal data of the data subject may be processed if data processing is necessary for the establishment, exercise or protection of a right.
Being necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed:
The Data Controller first determines the legitimate interest to be obtained by processing the personal data, then assesses the potential impact of the processing on the rights and freedoms of the data subject, and proceeds with the processing activity if it concludes that the balance of interests is not disturbed.
Bien exercises increased diligence in the processing of special categories of personal data, as additional measures must be taken for the retention and transfer of such data compared to other personal data. Special categories of personal data are those which, if learned, may lead to discrimination or victimization of the data subject. Special categories of personal data are limitedly listed in Article 6 of the Law as: data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of an association, foundation or trade union, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
The processing of special categories of personal data is prohibited as a rule. However, the processing of such data is possible in the following cases:
Where the data subject has given explicit consent,
Where it is explicitly stipulated in laws,
Where it is necessary for the protection of the life or physical integrity of the person who is unable to express consent or whose consent is not deemed legally valid, or of another person, due to actual impossibility,
Where it relates to personal data that the data subject has made public, and the processing is in line with the purpose of making it public,
Where it is necessary for the establishment, exercise or protection of a right,
Where it is necessary for the protection of public health, preventive medicine, medical diagnosis, the provision of treatment and care services, planning, management and financing of health services, and data is processed by persons under an obligation of confidentiality or by authorized institutions and organizations,
Where it is necessary for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
Where it is processed by foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade-union purposes, in accordance with the legislation to which they are subject and their purposes, limited to their areas of activity and without being disclosed to third parties, for their current or former members and affiliates or persons who are in regular contact with such organizations.
In addition, sufficient measures determined by the Board must be taken in the processing of special categories of personal data.
Within the scope of the personal data processing conditions set forth in Articles 5 and 6 of the Law, Bien may process personal data in the categories of identity, contact, personnel (HR), legal transaction, customer transaction, transaction security, risk management, finance, marketing, professional experience, visual and audio records, physical space security, health information, criminal conviction and security measures.
The personal data processed may vary depending on the activities carried out by Bien. For each activity involving personal data processing, separate Information Notices are prepared and data subjects are informed.
This Personal Data Processing and Protection Policy covers all personal data of Bien employees, employees’ family members, employee candidates, interns, reference persons, supplier employees, supplier representatives, customers and other third parties that are processed fully or partially by automated means or by non-automated means as part of any data recording system.
Personal data obtained by Bien business units may be processed within the scope of the personal data processing conditions set forth in Articles 5 and 6 of the Law.
Personal data may be transferred by Bien in line with the purposes of data processing and in compliance with the personal data transfer conditions set forth in Articles 8 and 9 of the Law, to:
The Revenue Administration, the Social Security Institution and other legally authorized public institutions and organizations, as well as legally authorized private law persons, for the purposes of fulfilling legal obligations such as reporting and sharing information and documents,
Real persons and private law legal entities (such as Occupational Safety and Health Joint Health and Safety Units, Certified Public Accountants, Sworn-in Certified Public Accountants, Law Firms) for the purpose of obtaining services in areas such as training, accounting, legal matters, etc.,
Independent Audit Firms for the purposes of carrying out risk management and internal audit activities,
Banks for the purpose of executing payment transactions,
Relevant insurance companies for the purpose of making Private Pension System (PPS) payments,
Companies providing information technologies support, for the purpose of receiving IT support services,
Relevant suppliers for the purpose of carrying out procurement activities,
Business partners, group companies and companies that have an organic link with Bien and/or share a similar partnership structure, for the purposes of conducting commercial activities and implementing Company policies.
Data transfer is carried out in connection with, limited to, and proportionate to the purpose of transfer.
The right to demand the protection of personal data was granted constitutional protection within the scope of the “right to privacy and protection of private life” by adding a paragraph to Article 20 of the Constitution with the amendment made by Law No. 5982 in 2010.
In accordance with Article 12 of the Law, Bien takes necessary measures to ensure an appropriate level of security to prevent unlawful processing of personal data, prevent unlawful access to personal data, and ensure the protection of personal data, taking into account the nature of such data.
Our Company attaches great importance to the protection of personal data. It pays attention to ensuring that employees participate in KVKK (PDP) trainings and that awareness is raised. KVKK Policies have been established for our Company, and activities involving personal data are carried out in compliance with the procedures and principles set forth in these policies.
Persons responsible for the implementation of the Policies, monitoring the compliance of employee activities with the Policies, publication and updating of the Policy, and execution of data destruction processes have been designated and duties have been allocated. Our Company is authorized to make necessary updates in accordance with changes in the law and decisions of the Board regarding personal data processing and information security. The Company carries out (or has carried out) the necessary audits within the scope of the Law. Expert service providers may be engaged in the execution of this process.
Bien retains personal data for the period required for the purpose for which they are processed and in accordance with the periods stipulated in the legal regulations applicable to the respective activity. In this context, our Company first determines whether a retention period is stipulated in the relevant legislation for the personal data. If such a period is stipulated, the Company acts in accordance with this period. If no legal period exists, personal data is retained only for the period necessary for the purpose for which it is processed.
At the end of the determined retention period or upon the request of the data subject, personal data is destroyed by Bien using the destruction methods it determines (deletion and/or destruction and/or anonymization).
This Policy provides general information regarding all personal data processing activities. Data subjects are informed in detail through separate information notices (clarification texts) specific to each data processing activity, and explicit consents are obtained where necessary. In this context, separate information and explicit consent texts are used for data subject groups such as Employees, Employee Candidates, Customers, etc.
During personal data processing activities, our Company informs data subjects regarding the categories of personal data processed, the purposes of processing, the method of collection and legal grounds, the recipient groups and purposes of data transfers, the rights of data subjects, and our Company as the Data Controller. Our Company fulfills the disclosure obligation stipulated under Article 10 of the Law in accordance with the procedures and principles set out in the “Guidelines on Fulfilling the Obligation to Inform” published by the Authority. Necessary information notices are published in electronic or physical environments in line with the data collection method.
You, as the personal data subject, have the following rights:
To learn whether your personal data is being processed,
If your personal data has been processed, to request information regarding such processing,
To learn the purpose of processing your personal data and whether they are used in accordance with this purpose,
To know the third parties to whom your personal data is transferred, domestically or abroad,
To request the correction of personal data in case they are incomplete or inaccurate and to request that the correction be notified to third parties to whom the personal data has been transferred,
To request the deletion or destruction of your personal data in the event that, although processed in accordance with the Law and other relevant legislation, the reasons requiring their processing no longer exist, and to request that such deletion or destruction be notified to the third parties to whom the personal data has been transferred,
To object to any result arising to your detriment through the analysis of your personal data exclusively by automated systems,
To request compensation for your damages in the event that you suffer damage due to the unlawful processing of your personal data.
You may submit your requests listed above by completing the Data Subject Application Form available on our website and sending a wet-signed copy in person or via notary to:
Acıbadem Mah. Gömeç Sok. No:39, 34660 Kadıköy, İstanbul
or by e-mail to: kvkk@bienseramik.com.tr
You may access detailed information regarding the requirements that must be included in your application and the application methods in the Data Subject Application Form.
Your application must contain: your name and surname, and if your application is in writing, your signature; your Turkish ID number if you are a citizen of the Republic of Türkiye, or your nationality, passport number or identification number if you are a foreign national; your residential or workplace address for notification; your e-mail address, telephone and fax number, if any, for notification; and your request. Information and documents relating to the subject must be attached to the application. For applications prepared without filling in the application form, all of the above-mentioned information must be submitted to our Company in full. Otherwise, the application will not be considered a valid application.
For third parties to apply on behalf of data subjects whose personal data is processed, a special power of attorney issued through a notary public in the name of the person who will submit the application must be provided by the data subject.
Our Company may request additional information for the purpose of verifying that the applicant is the data subject whose personal data is processed and to ensure that the application results are communicated to the right person (for example, sending a message to your registered phone number or calling you for additional verification).
Your request in the application will be finalized free of charge as soon as possible and within thirty (30) days at the latest, depending on the nature of the request. However, if the process requires an additional cost for the Company, a fee may be charged in accordance with the tariff determined by the Personal Data Protection Board. If your request is accepted, it will be fulfilled. If your request is rejected as a result of the examination and assessment, the reasons for the rejection will be notified to you in writing or electronically.
You may obtain detailed information regarding the right to apply to the data controller and to lodge a complaint to the Board from Articles 13, 14 and 15 in Section Four of the Law.
Pursuant to Article 28 of the Law, Bien may reject a data subject’s application, by stating the reasons, in the following cases:
Where personal data is processed by real persons within the scope of activities related to themselves or family members living in the same residence, provided that such data is not given to third parties and the obligations relating to data security are complied with,
Where personal data is processed for purposes such as research, planning and statistics, by anonymizing them with official statistics,
Where personal data is processed for artistic, historical, literary or scientific purposes, or within the scope of freedom of expression, without violating national defense, national security, public security, public order, economic security, the privacy of private life, or personal rights, and not constituting a criminal offense,
Where personal data is processed by public institutions and organizations that are authorized by law to maintain national defense, national security, public security, public order or economic security, within the scope of preventive, protective and intelligence activities,
Where personal data is processed by judicial authorities or execution authorities with regard to investigation, prosecution, trial or execution procedures.
Pursuant to Article 28/2 of the Law, provided that it is in line with the purpose and fundamental principles of the Law and proportional, the following provisions shall not apply in the cases listed below: Article 10 regulating the data controller’s disclosure obligation, Article 11 regulating the rights of the data subject (excluding the right to claim compensation for damages), and Article 16 regulating the obligation to register with the Data Controllers’ Registry:
Where processing of personal data is necessary for the prevention of crime or criminal investigation,
Where personal data is processed in relation to personal data that has been made public by the data subject,
Where processing of personal data is necessary for the performance of supervisory or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by law,
Where processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial issues.
This Policy entered into force on the date of its publication. Bien reserves the right to amend this Policy in order to provide up-to-date information regarding its practices relating to the protection of personal data and legislative changes.
Where the Policy, in whole or in part, is updated, such updates will enter into force on the date of their publication.
Bien, as the Data Controller, is responsible for the implementation of this Policy, monitoring and coordinating all actions and activities in relation to compliance with the Law, and supervision. In matters relating to the processing and protection of personal data, the relevant legal regulations in force shall be primarily applicable. In the event of any inconsistency between the legislation in force and this Policy, Bien accepts that the provisions of the legislation in force shall prevail.
| TERM | DESCRIPTION |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Special Categories of Personal Data | Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data, are special categories of personal data. |
| Explicit Consent | Consent based on information and expressed with free will, relating to a specific subject. The data subject has the right to withdraw consent at any time. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
| Data Subject / Relevant Person | The natural person whose personal data is processed. |
| Contact Person | The person responsible for facilitating communication between the data controller and the data subject or the Personal Data Protection Authority. |
| Processing of Personal Data | Any operation which is performed on personal data, whether or not by automated means, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or preventing the use thereof, provided that the data is part of a data recording system, whether fully or partially automated or non-automated. |
| Data Recording System | A recording system in which personal data is structured and processed according to specific criteria. |
| Anonymization | Rendering personal data impossible to be associated with an identified or identifiable natural person, even when matched with other data. |
| Board | The Personal Data Protection Board. |
| Authority | The Personal Data Protection Authority. |
| Data Processor | The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. |