E-Catalog

Personal Data Protection Law

Personal Data Protection Law

Policy on Use, Protection and Processing of Personal Data
1) PURPOSE

As RYS Rota İnşaat Metal Yapı Sistemleri Sanayi ve Ticaret Limited Şirketi (“RYS Rota” or the “Company”), since the effective date of the Personal Data Protection Law No. 6698 (“KVKK”, “Relevant Legislation” or the “Law”) (April 7, 2016), we have placed great importance on protecting the personal data of real persons we come into contact with in any way while performing our commercial activities (our employees, interns, apprentices, main contractor company officials and employees, company officials-shareholders-partners, proxies, visitors, registered persons, potential and current supplier officials and employees, administrative institution officials, product or service recipients and third parties with whom we enter into relationships) and, within this framework, fully complying with the requirements of the KVKK.

The main purpose of this Policy is to provide explanations about the personal data processing activities carried out by RYS Rota in accordance with the law and the systems adopted for the protection of personal data, and to ensure transparency by informing our employees, interns, apprentices, main contractor company officials and employees, company officials-shareholders-partners, deputies, visitors, registered persons, potential and current supplier officials and employees, administrative institution officials, product or service recipients and third parties with whom we have relations.

2) SCOPE

This Policy is related to all personal data of our employees, interns, apprentices, main contractor company officials and employees, company officials-shareholders-partners, deputies, visitors, registered individuals, potential and current supplier officials and employees, administrative institution officials, product or service recipients and third parties with whom we have a relationship, processed automatically or non-automatically provided that it is part of any data recording system, and is applied to all processes of RYS Rota.

3) IMPLEMENTATION OF THE POLICY AND RELATED LEGISLATION

Relevant applicable legal regulations regarding the processing and protection of personal data will be the primary application. In the event of any inconsistency between the applicable legislation and the Policy, our Company acknowledges that the applicable legislation will prevail.

4) DEFINITIONS AND ABBREVIATIONS

TO SQUEEZE

PLANT

PERSONAL DATA

Any information relating to an identified or identifiable natural person.

PROCESSING OF PERSONAL DATA

Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.

BOARD

Personal Data Protection Board.

SPECIAL NATURE PERSONAL DATA

Data regarding individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

DATA OWNER/RELEVANT PERSON

The natural person whose personal data is processed.

DATA PROCESSOR

A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

DATA CONTROLLER

The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

EXPLICIT CONSENT

Consent based on informed consent and expressed freely on a specific matter.

WORKER

Real persons who are RYS Rota employees.

EMPLOYEE CANDIDATE

Natural persons who are not RYS Rota employees but have the status of RYS Rota employee candidate due to the application.

POLITICS

RYS Rota Personal Data Protection and Processing Policy.

LAW

Personal Data Protection Law No. 6698 dated April 7, 2016.

DATA OWNER APPLICATION FORM

The application form that data owners will use when applying for their rights under Article 11 of the KVKK.

NOTIFICATION ON THE PROCEDURES AND PRINCIPLES OF APPLICATION TO THE DATA CONTROLLER

Communiqué on the Procedures and Principles of Application to the Data Controller, which entered into force upon publication in the Official Gazette dated 10 March 2018 and numbered 30356.

NOTIFICATION ON THE PROCEDURES AND PRINCIPLES TO BE FOLLOWED IN FULFILLING THE OBLIGATION TO DISCLOSE

Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation, which entered into force upon publication in the Official Gazette dated 10 March 2018 and numbered 30356, and was amended by the communiqué published in the Official Gazette dated 28 April 2019 and numbered 30758.

5) DATA SUBJECTS WHOSE PERSONAL DATA IS PROCESSED BY OUR COMPANY

Data owners whose personal data are processed by RYS Rota and are within the scope of the RYS Rota Personal Data Protection and Processing Policy are grouped below:

Shareholders/Partners of RYS Rota

Natural persons who are shareholders of RYS Rota.

RYS Route Company Official

A natural person authorized to represent RYS Rota.

Note

The real person that RYS Rota contacts for official transactions such as approval of documents and issuance of power of attorney while carrying out its commercial and business activities.

Delegate

The natural person who authorizes RYS Rota to carry out its commercial activities without interruption.

RYS Rota’s Technical Staff

Real persons from whom RYS Rota receives technical support and fulfills its obligations arising from legislation during the execution of the tender processes.

RYS Route Interns

Real persons who are completing their internship training within RYS Rota.

RYS Route Apprentices

Real persons working within RYS Rota.

People who purchase products or services from RYS Rota

Natural persons who have a contractual relationship with RYS Rota within the scope of the products and services offered by RYS Rota.

Potential Suppliers

Natural persons who are employees, officers or shareholders of RYS Rota and who provide products to RYS Rota on a contractual basis in accordance with its orders and instructions while carrying out its commercial activities.

People Who Purchased Products or Services

Real persons from whom RYS Rota purchases goods/services while carrying out its activities.

RYS Route Project Manager

Real persons from whom RYS Rota receives technical support and fulfills its contractual obligations during the execution of the contract processes.

RYS Rota General Assembly Secretary

The natural person who keeps minutes of RYS Rota’s general assembly meetings.

Relevant Bank Personnel

The real person with whom RYS Rota comes into contact while carrying out its commercial activities.

Relevant Insurance Company Official

A natural person with whom RYS Rota has a contractual relationship to ensure the security of personnel, movable property, etc.

RYS Route Employees

Natural persons whose personal data are processed within the scope of activities such as efficiency, employee satisfaction, human resources, audit, information technologies and security, legal compliance, commercial etc. carried out by RYS Rota and who have an employment contract with RYS Rota.

RYS Route Supplier; Supplier Employee and Supplier Official

Natural persons who are employees, officers or shareholders of RYS Rota and who provide products to RYS Rota on a contractual basis in accordance with its orders and instructions while carrying out its commercial activities.

RYS Rota’s Main Contractor Company Official

Real persons with whom RYS Rota has business relations in order to carry out its commercial activities.

Administrative Institution Officials

Natural persons whose personal data are processed due to official documents that RYS Rota is legally obliged to obtain, such as licenses etc.

RYS Rota Inc. Visitors

Real people who visited the RYS Rota building.

RYS Route Internet Users

Real persons using the company’s internet within the RYS Rota building.

RYS Route Website Visitors

Those who contact RYS Rota through RYS Rota’s website.

Other Natural Persons

Other natural persons whose data is processed within the scope of RYS Rota’s Personal Data Protection and Processing Policy, who are related to these persons in order to protect the rights of personal data owners and from whom their data is not obtained (person who has been involved in an accident, etc.).

6) CATEGORIZATION OF PERSONAL DATA

RYS Rota processes personal data in the categories specified in Table 1 below, in accordance with the principles of processing personal data specified in KVKK and the general principles in the relevant law, based on one or more of the personal data processing conditions specified in KVKK Article 5 and Article 6, and in line with our Company’s legitimate and lawful personal data processing purposes, by informing the relevant persons in accordance with KVKK Article 10.

TABLE 1

PERSONAL DATA CATEGORY

PERSONAL DATA

IDENTITY

Name – Surname, Mother – Father’s Name, Date of Birth, Place of Birth, Marital Status, Identity Card Serial-Sequence Number, TR Identity Number, Signature, Signature Circular, Title and Registration Number.

COMMUNICATION

Address No, E-Mail Address, Contact Address, Telephone Number and Residence Information.

TRANSACTION SECURITY

IP Address Information, Website Login and Logout Information, Password and Passcode Information and TR Identity Number.

PERSONALITY

Payroll Information, Timesheet Records, Employment Document Records, Dismissal Document Records, Resume Information, Performance Evaluation Reports, Annual Leave Information, Disciplinary Report, Family Status Notification, Military Service Status Information, IBAN Information, Personal Protective Equipment Delivery Report, Work Safety Instruction, Individual Pension Contract Number, Professional Competence Certificate and Camera Recording Samples.

VISUAL AND AUDIO RECORDINGS

Photograph.

LEGAL ACTION

Information in Correspondence with Judicial Authorities, Information in the Case File, Mediation Reports, Name-Surname Processed Due to Traffic Fines and Data Processed Due to Traffic Accident Report.

PROFESSIONAL EXPERIENCE

Diploma Information, Courses Attended, Vocational Training Information, Certificates, Transcript Information and Certificate of Education.

PHYSICAL SPACE SECURITY

Camera Records.

HEALTH INFORMATION

Disability Information, Blood Group Information, Personal Health Information, Vacation Report, Incapacity Report, Ministry of Transport Vocational Competence Certificate (SRC Certificate), Psychotechnical Evaluation Result Certificate and Work Accident Report.

CRIMINAL CONVICTION AND SECURITY MEASURES

Criminal Record.

CUSTOMER TRANSACTION

Request Information, Order Information, Invoice, Check and Bill.

SUPPLY PROCESS

Invoice and Order Information.

MARKETING

Purchase History Information, Cookie Records and Survey.

FINANCE

Account Number, Balance Sheet, Financial Performance Activity, Credit and Risk Information and Asset Information.

BIOMETRIC DATA

Fingerprint Information.

LOCATION INFORMATION

Location.

OTHER

Plate.

Table 2 below explains in detail the categories of personal data owners and the types of personal data of the people in these categories are processed.

TABLE 2

PERSONAL DATA CATEGORY

DATA SUBJECT CATEGORY TO WHICH THE RELEVANT PERSONAL DATA IS ASSOCIATED

IDENTITY

Company Employees, Technical Personnel, Main Contractor Company Official, RYS Rota Company Official, Administrative Institution Official, Notary, Attorney, Intern, Apprentice, Shareholder/Partner, Product or Service Recipient, Supplier Official or Employee, Product or Service Recipient, Project Manager, General Assembly Secretary, Relevant Bank Personnel, Insurance Company Official, Potential Supplier and WEB Site Visitor.

COMMUNICATION

Company Employees, Main Contractor Company Official, RYS Route Official, Assignee, Intern, Apprentice, Shareholder/Partner, Product or Service Buyer, Supplier Official or Employee, Potential Product or Service Buyer, Potential Supplier and WEB Site Visitor.

INFORMATION ON CRIMINAL CONVICTIONS AND SECURITY MEASURES

Company Employees, Interns and Apprentices.

VISUAL AND AUDIO RECORDINGS

Company Employees and Supplier Official or Employee.

HEALTH INFORMATION

Company Employees, Interns and Apprentices.

PHYSICAL SPACE SECURITY

Visitor.

LEGAL ACTION

Company Employees and the Accident Injured Person.

CUSTOMER TRANSACTION

Company Employees, Main Contractor Company Official, Product or Service Purchaser and WEB Site Visitor.

SUPPLY PROCESS

Supplier Official or Employee.

MARKETING

Supplier Official or Employee and Visitor.

PERSONALITY

Company Employees, Interns and Apprentices.

PROFESSIONAL EXPERIENCE

Company Employees, Interns and Apprentices.

TRANSACTION SECURITY

Company Employees and Internet Visitors.

FINANCE

Company Employees, Shareholder/Partner and Product or Service Purchaser.

BIOMETRIC DATA

Company Employees.

LOCATION INFORMATION

Supplier Official or Employee.

OTHER

Supplier Official or Employee.

7) ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the KVKK, RYS Rota has taken the necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data it processes, to prevent unlawful access to data and to ensure the preservation of data, and in this context, it carries out the necessary infrastructure security audits and cyber security audits using software and programs.

7.1) ENSURING THE SECURITY OF PERSONAL DATA

RYS Rota takes all necessary technical and administrative measures to ensure the appropriate level of security required to protect personal data. The measures stipulated in Article 12/1 of the Personal Data Protection Law are as follows:

To prevent the unlawful processing of personal data,

To prevent unlawful access to personal data,

To ensure the protection of personal data.

The measures taken by RYS Rota in this context are listed below:

7.1.1) ADMINISTRATIVE MEASURES

The notification on the procedures and principles to be applied in fulfilling the obligation to inform and the information texts within the scope of Articles 10 and 11 of the Personal Data Protection Law have been prepared and used.

The Personal Data Protection and Processing Policy has been prepared and is being used.

Personal Data Processing Inventory has been prepared and policies, texts etc. have been created in light of this inventory.

An application form has been created and made available to the relevant parties pursuant to Article 11 of the Personal Data Protection Law and the Communiqué on the Procedures and Principles for Applications to the Data Controller. In this context, the aim is to fulfill the request within the legally required period, including application response texts. Otherwise, the reason for such request will be communicated to the relevant party within the legally required period.

In case of a personal data breach, a Breach Notification Policy has been created with a notification infrastructure for the relevant person and institution to ensure that the process is overcome as quickly and with the least damage.

The decisions of the Personal Data Protection Authority have been incorporated into data security processes within the scope of awareness and compliance training, and new decisions are being monitored.

Disciplinary regulations that include data security provisions are in place for employees. Employee training and awareness campaigns on data security are conducted periodically. Employees are required to sign confidentiality agreements regarding company activities.

During the personal data processing inventory preparation process, the Access and Authorization Control Matrix was created and auditing was aimed.

A “policy for the use of communication tools” and a “password policy” have been prepared to raise employee awareness and ensure the security of business processes.

Employment contracts of employees have been revised in terms of the protection of personal data.

Institutional policies regarding access and authorization policy, information security, usage, storage and destruction have been prepared and implemented.

The authority of employees who change their duties or leave their jobs is revoked in this area.

Extra security measures are taken for personal data transferred via paper, and the relevant documents are sent in a confidential document format.

Necessary Procedures for processes requiring the processing of personal data have been prepared and are being used.

Personal data is reduced as much as possible.

Explicit consent texts have been prepared and are being used for data processing, excluding the exceptions in Articles 5 and 6 of the Personal Data Protection Law, and are now being used within the scope of provisional article 1/3. A consent withdrawal form has been created for those who wish to withdraw their consent, aiming to ensure the process continues with the same speed and efficiency as consent granting.

A separate policy and procedures for the security of special personal data have been determined and implemented.

Explicit consent texts have been prepared and are being used for data processing, excluding the exceptions in Articles 5 and 6 of the Personal Data Protection Law, and are now being used within the scope of provisional article 1/3. A consent withdrawal form has been created for those who wish to withdraw their consent, aiming to ensure the process continues with the same speed and efficiency as consent granting.

A “transfer policy” has been prepared to set out the general framework for personal data transfer.

To ensure the effective destruction of data transferred to third parties, either ex officio or upon request, a third-party data destruction notice has been issued. Furthermore, given that the data subject may request correction, a correction notice has been issued for data transferred to third parties.

A “transfer policy” has been prepared to set out the general framework for personal data transfer.

“Privacy and Cookie” policies have been prepared for situations where data is provided automatically through the website or non-automatically through the application form on the website.

7.1.2) TECHNICAL MEASURES

Up-to-date anti-virus systems are used.

Personal data is backed up and the backed up personal data

security is also provided.

User account management and authorization control systems are implemented and monitored.

If sensitive personal data is to be sent via e-mail, it must be encrypted and sent using a corporate e-mail account.

Intrusion detection and prevention systems are used.

Cyber ​​security measures have been taken and their implementation is constantly monitored.

Encryption is being done.

Penetration testing is performed

A firewall is used.

Security measures are taken within the scope of information technology systems procurement, development and maintenance.

Network security and application security are provided.

Firewall and gateway measures are taken.

Hardware and software are subject to secure installation and configuration processes.

Unused software and services are deleted.

The adequacy of security measures taken for systems is checked regularly.

Access to systems containing personal data is restricted.

Passwords and passcodes are changed at regular intervals.

Account deletion is provided without delay for employees whose relationships are terminated.

To protect against malware, products such as anti-virus and anti-spam are used that regularly scan the information system network and detect threats.

If personal data is to be obtained from different websites/mobile application channels, the connections are made via SSL or a more secure method.

It is checked which software and services are running on IT networks.

It can be determined whether there is a leak or a movement that should not have occurred in information networks.

Security issues are reported as quickly as possible.

Entry and exit to electronic and printed media containing personal data are under control.

The environments in question have been protected against external risks such as fire, flood, etc. with appropriate methods.

Access between network components for personal data in electronic environment is restricted or separated.

If data is to be transferred via e-mail, necessary security measures are taken.

Printed documents, servers, backup devices and devices such as USB containing personal data are kept in a separate section where additional security measures will be taken, and entry and exit to these areas are controlled.

Internationally accepted encryption programs are used to help fully protect personal data.

7.2) PROTECTION OF SPECIAL NATURE PERSONAL DATA

With the KVKK, special importance is given to certain personal data due to the risk of causing victimization or discrimination in the event of unlawful processing.

These data include data regarding race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

RYS Rota is meticulous about protecting sensitive personal data, which is designated as “special” under the Personal Data Protection Law and processed in accordance with the law. In this context, our Company diligently implements the technical and administrative measures taken to protect personal data, and the necessary controls are maintained within our Company.

Detailed information on the processing of special categories of personal data is provided under Heading 8.3 of this Policy.

In addition, the Special Personal Data Processing Policy has been created and the necessary measures and operating principles have been set forth in accordance with the decision of the Personal Data Protection Authority dated 31/01/2018 and numbered 2018/10.

8) ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

RYS Rota processes personal data in accordance with the procedures and principles stipulated in the Personal Data Protection Law (KVKK) and other relevant laws. In this context, RYS Rota fully complies with the following principles set forth in the KVKK when processing personal data.

8.1) GENERAL PRINCIPLES ON PROCESSING PERSONAL DATA

8.1.1) PROCESSING IN ACCORDANCE WITH THE LAW AND HONESTY RULES

In accordance with this principle, RYS Rota’s data processing processes are carried out within the limits required by all relevant legislation, particularly the Constitution and the Personal Data Protection Law, as well as by the rules of integrity. Within this framework, personal data is processed to the extent and limited to the extent required by our Company’s business activities.

8.1.) ENSURING THAT PERSONAL DATA IS ACCURATE AND UP-TO-DATE WHEN NECESSARY

Our company ensures that personal data is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of personal data owners. Necessary measures are taken to ensure this, and data owners are provided with the necessary information and resources to ensure that the data being processed reflects the true situation.

8.1.3) PROCESSING FOR SPECIFIC, EXPRESS AND LEGITIMATE PURPOSES

RYS Rota processes personal data only for clearly and explicitly defined legitimate purposes and does not engage in any data processing activities other than these purposes. In this context, RYS Rota processes personal data only in connection with the service and business relationship established with data subjects and when necessary for these purposes.

8.1.4) RELEVANT, LIMITED AND PROPORTIONATED TO THE PURPOSE FOR WHICH THEY WERE PROCESSED

Data is processed by RYS Rota in accordance with the KVKK and other relevant legislation, in a manner suitable for the realization of the purposes determined according to the data categories, in a way that is relevant and proportionate to the realization of the purpose, and the processing of unnecessary personal data is avoided.

8.1.5) STORAGE FOR THE PERIOD SET FORTH IN RELEVANT LEGISLATION OR NECESSARY FOR THE PURPOSE FOR WHICH THEY ARE PROCESSED

Our Company retains personal data only for the period specified in relevant legislation or necessary for the purpose for which it is processed. In this context, our Company first determines whether relevant legislation specifies a retention period for personal data. If so, it complies with this period. If no such period is specified, it retains personal data for the period necessary for the purpose for which it is processed.

If the period expires or the reasons requiring processing disappear, personal data is deleted or destroyed by our Company.

RYS Rota does not store personal data that may be used in the future.

8.2) CONDITIONS FOR PROCESSING PERSONAL DATA

The conditions for processing personal data are regulated by KVKK, and personal data is processed by RYS Rota in accordance with the conditions stated below.

Except for the exceptions listed in the second paragraph of Article 5 of the relevant Law, RYS Rota processes personal data only with the explicit consent of data subjects. In the event of the exceptions listed in the Law, personal data may be processed without the explicit consent of the data subject. While the legal bases for processing personal data by our company vary, all personal data processing activities are carried out in accordance with the principles set forth in Article 4 of Law No. 6698.

8.2.1) EXPLICIT CONSENT OF THE PERSONAL DATA OWNER

One of the conditions for processing personal data is the data subject’s (data subject’s) explicit consent. The data subject’s explicit consent must be specific, informed, and freely given.

In order for personal data to be processed based on the explicit consent of the personal data owner, explicit consent is obtained from employees, interns and apprentices through texts.

8.2.2) CLEARLY PROVIDED IN LAWS

The data owner’s personal data may be processed without the express consent of the data subject in accordance with the law, if this is expressly provided for by law.

8.2.3) OBTAINING EXPLICIT CONSENT OF THE SUBJECT DUE TO ACTUAL IMPOSSIBILITY

If the processing of personal data is necessary to protect the life or physical integrity of a person who is unable to give his consent due to a physical impossibility or whose consent cannot be validated, or of another person, the personal data of the data subject may be processed without obtaining his explicit consent.

8.2.4) DIRECTLY RELATED TO THE ESTABLISHMENT OR PERFORMANCE OF THE CONTRACT

If the processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data without obtaining the explicit consent of the person concerned.

8.2.5) COMPANY’S FULFILLMENT OF ITS LEGAL OBLIGATIONS

If it is necessary for our company to fulfill its legal obligations as a data controller, personal data may be processed without the explicit consent of the data owner.

8.2.6) PERSONAL DATA OWNER’S MAKING HIS PERSONAL DATA PUBLIC

If the data owner has made his/her personal data public, the relevant personal data may be processed without obtaining his/her explicit consent.

However, the publicization here remains only within the scope of the publicization purpose of the relevant person, and data processing is not carried out with a broad evaluation.

8.2.7) DATA PROCESSING IS NECESSARY TO ESTABLISH OR PROTECT A RIGHT

If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data subject may be processed without obtaining the explicit consent of the data subject.

8.2.8) DATA PROCESSING IS NECESSARY FOR THE LEGITIMATE INTEREST OF OUR COMPANY

If data processing is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner, personal data may be processed without obtaining explicit consent.

Of the data processing purposes explained under Heading 11 below, data processing has been pursued for legitimate interests, taking into account security, performance, and risk conditions. In this context, the review is being conducted with a narrow interpretation.

8.3) PROCESSING OF SPECIAL NATURE PERSONAL DATA

Article 6 of the Personal Data Protection Law (KVKK) designates certain personal data as “special categories” if processed unlawfully, which poses a risk of victimization or discrimination. This data includes data related to race, ethnicity, political views, philosophical beliefs, religion, sect, or other beliefs, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, security measures, and biometric and genetic data.

RYS Rota takes special care in the processing of special personal data, the protection of which is believed to be of critical importance to data owners in various respects. Sensitive personal data is processed by RYS Rota in accordance with the principles set forth in this Policy, by taking the necessary administrative and technical measures, including methods determined by the Board, and in the presence of the following conditions:

Sensitive personal data, excluding those related to health and sexual life, may be processed without the explicit consent of the data subject if it is expressly provided for by law, that is, if the law governing the relevant activity includes an explicit provision regarding the processing of personal data. Otherwise, the data subject’s explicit consent is required for the processing of such sensitive personal data.

Sensitive personal data related to health and sexual life may be processed without explicit consent by individuals or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and procedures. Otherwise, the data subject’s explicit consent will be obtained before such sensitive personal data can be processed. Our company processes health data only with the explicit consent of the data subject (the relevant person), and no data related to sexual life is processed. However, health data may also be processed without explicit consent, limited to the purpose and purpose of periodic examinations by the workplace physician, who is subject to a confidentiality obligation under Article 6/3 of the Personal Data Protection Law.

8.4) INFORMATION OF THE PERSONAL DATA OWNER

RYS Rota provides information to personal data subjects in accordance with Article 10 of the Law and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Information Obligation. In this context, the information texts provided by RYS Rota to data subjects include the following information:

Our company’s title,

Personal data and special personal data of the relevant data owner being processed by our company,

The purposes for which the personal data of data owners will be processed by RYS Rota,

The method and legal reason for collecting personal data,

To whom and for what purpose the processed personal data can be transferred,

Data subject rights.

While fulfilling the obligation to inform data owners explained above, the following procedures are generally applied:

Information texts for employees, trainees, apprentices and technical personnel are physically posted in the workplaces where they are accepted and entered into employment and presented as an annex to the contract,

By physically hanging it in the places where Shareholders/Partners, Company Officials, General Assembly Secretary, and Proxy are allowed to enter,

It is presented physically during the establishment of the relationship with the Main Contractor Company Officials, Supplier Officials or Employees, Persons Buying and Receiving Products or Services, Potential Suppliers, Potential Product or Service Recipients, Relevant Bank Personnel, Insurance Company Officials, Notaries, Administrative Institution Officials, and it is turned into a communication attachment in case of establishing the relationship electronically.

For those whose visual data is recorded by being present in camera recording areas, by hanging them next to cameras in common and strictly used areas,

By making it accessible on the website to visitors who use the contact form on the website and to those who visit the website,

For visitors who prefer to use the internet, lighting is provided in their rooms or common areas to fulfill their obligation. Work is underway to provide this lighting in the interface system, and the aforementioned system will be adopted as the lighting method.

If new data is obtained regarding the relevant persons or if data processing is required for a new purpose, care is taken to present the information text to the relevant person in an updated manner.

9) TRANSFER OF PERSONAL DATA

RYS Rota may transfer personal data and special categories of personal data of data subjects to third parties by taking the necessary security measures in accordance with the lawful personal data processing purposes. In this regard, our company complies with the regulations stipulated in Articles 8 and 9 of the Law. The table below lists the third parties to whom our company transfers personal data:

PERSONS/INSTITUTIONS TO WHICH DATA CAN BE TRANSFERRED

PLANT

PURPOSE OF DATA TRANSFER

Textbooks

The institution to which our Company is obliged to send information and documents in accordance with the relevant legislation.

Fulfillment of obligations arising from legislation.

LEGALLY AUTHORIZED PUBLIC INSTITUTIONS AND ORGANIZATIONS

It defines the public institutions and organizations authorized to receive information and documents from RYS Rota in accordance with the provisions of the legislation.

Fulfillment of obligations arising from legislation.

Certified Public Accountant

The real person to whom our Company is obliged to send information and documents in accordance with the relevant legislation.

Fulfillment of obligations arising from legislation.

SUPPLIER

The party that provides services to our Company on a contract basis in accordance with the orders and instructions of our Company while carrying out our Company’s commercial activities.

Fulfillment of product and service procurement processes.

GİB

The institution to which our Company is obliged to send information and documents in accordance with the relevant legislation.

Fulfillment of obligations arising from legislation.

RELATED BANK

The bank through which payment processes for an employee, supplier or other natural person are completed.

Ensuring legal follow-up of payment processes

OSGB COMPANY

It defines the natural or legal person from whom our company receives services within the scope of Occupational Health and Safety measures.

Fulfillment of obligations arising from legislation.

TAX OFFICE

It defines the public institutions and organizations authorized to receive information and documents from RYS Rota in accordance with the provisions of the legislation.

Fulfillment of obligations arising from legislation.

TRANSPORT COMPANY

It defines the legal entity from which our company receives transportation services for document delivery.

Ensuring document delivery in line with employee requests

PEAK

Your personal data is not directly shared with the service custodian. Relevant data is entered into the program provided to us through the interface used for accounting purposes. Therefore, a “data processing agreement” has been signed with the software developer to ensure the security of your personal data.

Execution and monitoring of company activities.

BUSINESS PARTNERS

It defines the legal entity with which our company cooperates during its commercial activities.

Execution of contract processes.

LAWYER

A natural person from whom our Company receives services in order to fulfill its obligations arising from legislation, to ensure compliance with the law and to follow up legal processes.

Follow-up and execution of legal affairs.

ISKUR

It defines the public institutions and organizations authorized to receive information and documents from RYS Rota in accordance with the provisions of the legislation.

Fulfillment of obligations arising from legislation.

BUSINESS PARTNERS

It defines the legal entity with which our company cooperates during its commercial activities.

Execution of contracts and business processes, operation of the reporting system.

SHAREHOLDERS

Real persons who own company shares and take part in the administrative and corporate processes of our company.

Execution of contracts and business processes, operation of the reporting system.

PARTICIPATIONS

It defines the legal entity with which our company cooperates during its commercial activities.

Execution of contracts and business processes, operation of the reporting system.

AFFILIATES

It defines the legal entity with which our company cooperates during its commercial activities.

Execution of contracts and business processes, operation of the reporting system.

COMMUNITY COMPANIES

It defines the legal entity with which our company cooperates during its commercial activities.

Execution of contracts and business processes, operation of the reporting system.

MAIN CONTRACTOR COMPANY OFFICIAL OR EMPLOYEES

Real persons affiliated with the company above them in terms of the work undertaken by our company as a Subcontractor in order to carry out its commercial activities.

Execution of contracts and business processes, evaluation of contract compliance, operation of the reporting system

NOTE

It defines the real person who issues or approves the documents requested by RYS Rota in accordance with the legislative provisions and business processes.

Fulfillment of obligations arising from legislation.

CONTRACTING AUTHORITIES

It defines the public institutions and organizations authorized to receive information and documents from RYS Rota in accordance with the provisions of the legislation.

Fulfillment of obligations arising from legislation.

RELATED SCHOOL

It defines the public institutions and organizations authorized to receive information and documents from RYS Rota in accordance with the provisions of the legislation.

Fulfillment of obligations arising from legislation.

PIXEL MEDIA LTD. STI.

It defines the legal entity from which our company receives services in order to develop electronic record systems and carry out storage activities.

Procurement of storage and archive services.

CUSTOMS CONSULTANCY

The legislation identifies the public institutions and organizations authorized to receive information and documents from RYS Rota. A data processing agreement has been signed with the software developer to ensure the security of your personal data.

Fulfillment of obligations arising from legislation.

LOGISTICS COMPANIES

It defines the legal entity from which our company receives services in order to carry out logistics processes within the scope of its export-import activities.

Carrying out logistics and delivery activities.

Diogenes Inc.

This refers to the legal entity that receives services for the collection of anonymous user data. A “data processing agreement” has been signed with the software developer to ensure the security of your personal data.

Improving quality by evaluating website activities

INTERNET ACCESS SECURITY PROVIDER COMPANY

It defines the legal entity from which services are received to fulfill obligations arising from Law No. 5651. A “data processing agreement” has been signed with the software developer to ensure the security of your personal data.

Fulfilling the obligations arising from the legislation and obtaining the necessary records

9.1) TRANSFER OF PERSONAL DATA

Even if the personal data owner does not give explicit consent, personal data may be transferred to third parties by RYS Rota, provided that one or more of the following conditions are met, by taking all necessary security measures, including the methods prescribed by the Board:

The relevant person must have explicit consent for the transfer of personal data,

The relevant activities regarding the transfer of personal data are clearly prescribed by law,

The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,

The transfer of personal data is mandatory for our Company to fulfill its legal obligations,

Limited transfer of personal data for the purpose of publicity, provided that the data owner has made the data public,

The transfer of personal data by the Company is necessary for the establishment, exercise or protection of the rights of the Company, the data owner or third parties,

It is necessary to transfer personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner.

If it is necessary for a person who is unable to give his consent due to a physical impossibility or whose consent is not legally valid, to protect his own life or the physical integrity of another person.

9.2) TRANSFER OF SPECIAL NATURE PERSONAL DATA

Sensitive personal data may be transferred by RYS Rota in accordance with the principles set forth in this Policy and by taking all necessary administrative and technical measures, including the methods determined by the Board, and in the presence of the following conditions:

Sensitive personal data, excluding those related to health and sexual life, may be processed without the explicit consent of the data subject if it is expressly provided for by law, that is, if there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, the data subject’s explicit consent will be obtained.

Sensitive personal data related to health and sexual life may be processed without explicit consent by persons under a confidentiality obligation or authorized institutions and organizations for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing healthcare services and their financing. Therefore, no transfer will be made without the data subject’s explicit consent.

9.3) TRANSFER OF PERSONAL DATA ABROAD

Our Company may transfer the Personal Data and Special Personal Data of Personal Data Owners to third parties abroad by taking the necessary security measures in line with the purposes of processing Personal Data.

Our Company may transfer Personal Data to foreign countries that have been declared to have adequate protection by the Personal Data Protection Board or, if there is insufficient protection, to foreign countries where the data controllers in Türkiye and the relevant foreign country have undertaken in writing to provide adequate protection and where the Personal Data Protection Board has given its consent.

For detailed information on the transfer of personal data abroad, you can contact us and review the International Transfer Procedure.

10) PROCESSING AND STORAGE OF PERSONAL DATA

RYS Rota retains personal data for the period necessary for the purpose for which it is processed and in accordance with the minimum periods stipulated in the applicable legal regulations governing the relevant activity. In this context, our Company first determines whether the relevant legislation specifies a retention period for personal data, and if so, it complies with this period. If no legal period exists, personal data is retained for the period necessary for the purpose for which it is processed. At the end of the designated retention periods, personal data is destroyed in accordance with periodic destruction periods or the data subject’s request, and by the specified destruction methods (deletion and/or destruction). For detailed information on this matter, please contact our company and review our Personal Data Retention and Destruction Policy.

11) PURPOSES OF PROCESSING PERSONAL DATA PROCESSED BY OUR COMPANY

RYS Rota processes your personal data to serve the following purposes:

Main Objectives

Sub-Objectives

Execution of the Company’s Human Resources Policies

– Carrying out processes regarding the essential and side rights of employees arising from employment contracts and legislation,

– Fulfillment of obligations arising from contractual relations and legislation,

– Carrying out the selection and placement processes of candidate employees, trainees and apprentices and providing internship support,

– Execution of Human Resources Processes and Policies,

– Carrying out procedures for evaluating job applications and job suitability,

– Granting Power of Attorney within the Scope of Assignment and Conducting Authorization Processes and Performance Evaluation Processes.

Carrying out and executing the necessary studies, research and planning for the realization and security of commercial activities carried out by the company.

– Designing, developing and implementing corporate governance and communication activities,

– Planning and Execution of the Company’s Commercial and Business Activities and/or Business Processes,

– Carrying out supply relations and supply chain management processes related to the purchasing activities of goods or services,

– Providing material prices and technical information, requesting materials and tracking orders,

– Conducting Marketing and Supply Analysis Studies and Communication Activities,

– Carrying out management activities,

– Preparation of cost and offer within the scope of customer and project research, and offer presentation and follow-up,

– Execution of Contract Processes,

– Taking Application Measurements, Preparing Projects, Obtaining Project Approval and Preparing Orders,

– Determining, Executing and Developing the Company’s Business Strategies and Investment Processes and Carrying Out Business Continuity Activities,

– Planning and Execution of Production, Supply and/or Operation Processes,

– Monitoring the current status of orders related to the construction site and the current manufacturing status, and informing about the changing manufacturing or adding new manufacturing,

– A New Request or Revision of an Existing Request Regarding the Construction Site,

– Conducting Tender Processes,

– Execution of Goods and Services Sales Processes,

– Determination of potential companies to supply materials.

Ensuring the Legal, Technical and Occupational Safety of the Company, its Employees and Persons in Business Relations with the Company

– Providing information to authorized persons, institutions and organizations,

– Monitoring and Execution of Legal Processes,

– Protection of the Company Against Legal and Criminal Liability,

– Conducting Occupational Health / Safety Activities,

– Ensuring the safety of movable goods, resources and personnel within and around the building,

– Carrying out activities in accordance with legislation,

– Ensuring the Security of Information, Transactions, Data and Devices and Preventing Malicious Use,

– Planning and Execution of Information Technology Processes and Data Security Activities,

– Carrying out activities/developments and analyses regarding access to systems and physical environments and monitoring entry-exit information at controlled access points,

– Tracking the location of the company’s vehicles for security and performance reasons,

– Our company takes legal and commercial security measures and fulfills its obligations,

– Ensuring that safety precautions are taken in the workplace and preventing deterioration of the working environment in the workplace.

Execution of the Company’s Audit Activities and Protection of the Confidence It Inspires in Consumers

– Collecting the Information Required for Conducting Disciplinary, Complaint, Internal Investigation and Audit Activities,

– Measuring and Increasing Customer Satisfaction and Tracking Requests and Complaints within the Scope of Carrying Out Customer Relations Management Activities,

– Quality Control and Evaluation of Service/Contract Performance within the Scope of Carrying Out Activities Aimed at Customer Satisfaction,

– Obtaining Anonymous User Experience-Based Analyses for Corporate Promotional Purposes.

Planning and Execution of Payment Processes to be Made to the Company’s Employees and Persons with Whom the Company Has a Business Relationship

– Execution of processes and policies regarding finance, accounting and wage payments,

– Carrying out storage and archive activities.

Ensuring the Safety of Company Employees in Emergencies

– Execution of Emergency Management Processes.

Carrying out the necessary work to recommend the products and services offered by our company to personal data owners by customizing them according to their tastes, usage habits and needs.

– Planning the activities required to present, recommend and promote our services to the relevant people,

– Improving the Quality of Online Experience,

– Providing and facilitating the online user experience on our website and improving its functionality and performance.

12) SPECIAL CASES WHERE PERSONAL DATA IS PROCESSED

12.1) PERSONAL DATA PROCESSING ACTIVITIES CONDUCTED AT COMPANY BUILDING ENTRANCES AND WITHIN THE BUILDING AND WEBSITE VISITORS

Personal data processing activities carried out by RYS Rota at the entrances and inside the building are carried out in accordance with the Constitution, the Law and other relevant legislation.

To ensure security, our company conducts personal data processing activities within our company building, including monitoring guest entries and exits through security cameras. RYS Rota conducts personal data processing activities through the use of security cameras and recording of guest entries and exits.

The framework for the processing activity in question is determined by the Security Camera Procedure and the processing activity is carried out within these limits.

12.1.1) MONITORING ACTIVITY WITH CAMERA CONDUCTED AT THE ENTRANCES AND INSIDE THE COMPANY BUILDINGS

In this section of the Policy, explanations will be made regarding our company’s camera monitoring system and information will be provided on how personal data, privacy and fundamental rights of the individual are protected.

Our company aims to improve the quality of the service provided, ensure its reliability, ensure the safety of the company, employees, guests and other persons, and protect the interests of its customers regarding the service they receive, within the scope of its security camera monitoring activity.

12.1.2) LEGAL BASIS FOR CAMERA MONITORING ACTIVITY

The camera monitoring activity carried out by our company is carried out in accordance with the relevant legislation.

12.1.3) CONDUCTING MONITORING ACTIVITIES WITH SECURITY CAMERA IN ACCORDANCE WITH THE LAW ON PROTECTION OF PERSONAL DATA

Our company complies with the regulations in the Personal Data Protection Law when conducting camera monitoring activities to ensure security.

Our company carries out surveillance activities using security cameras in order to ensure security in its buildings, for the purposes stipulated in the law and in accordance with the personal data processing conditions listed in the Personal Data Protection Law.

12.1.4) ANNOUNCEMENT OF CAMERA MONITORING ACTIVITY

RYS Rota informs personal data subjects about camera surveillance activities in accordance with Article 10 of the Personal Data Protection Law. Furthermore, in accordance with Article 4 of the Personal Data Protection Law, our company processes personal data in a manner that is relevant, limited, and proportionate to the purposes for which it is processed.

In this way, it is aimed to prevent any harm to the fundamental rights and freedoms of the personal data owner (the relevant person) and to ensure transparency and enlightenment of the personal data owner.

This Policy is published by our company on our company’s website at “https://www.rysrota.com/iletisim/” regarding camera surveillance activities, and a notice stating that surveillance is carried out 24 hours a day, 7 days a week, is posted at the entrances of the areas where camera surveillance activities are carried out.

12.1.5) PURPOSE OF CONDUCTING THE MONITORING ACTIVITY WITH CAMERA AND LIMITATION TO THE PURPOSE

In accordance with Article 4 of the Personal Data Protection Law, our company processes personal data in a manner that is relevant, limited, and proportionate to the purposes for which it is processed. The purposes of RYS Rota’s video camera monitoring are:

Ensuring Building and Employee Safety,

To ensure that safety precautions are taken in the workplace and to prevent deterioration of the working environment in the workplace,

Conducting Audit Activities,

Ensuring the Security of Movable Goods and Resources.

Accordingly, the surveillance areas, number of cameras, and the timing of monitoring are limited and sufficient to achieve security objectives. Areas that could result in an intrusion beyond security objectives (e.g., restrooms) are not subject to monitoring.

12.1.6) ENSURING THE SECURITY OF THE DATA OBTAINED

In addition to providing the technical measures explained above, the camera recording room can only be accessed by the Technical Service Personnel and the IT Department within the company.

12.1.7) STORAGE PERIOD OF PERSONAL DATA OBTAINED THROUGH CAMERA MONITORING ACTIVITY

Personal data obtained by RYS Rota through camera monitoring is deleted every 15 days.

12.1.8) WHO HAS ACCESS TO THE INFORMATION OBTAINED THROUGH CAMERA MONITORING AND TO WHOM IT IS TRANSFERRED

Only the IT Department and the General Manager have access to live camera footage and digitally recorded and stored records. These limited number of individuals have declared under confidentiality agreements that they will maintain the confidentiality of the data they access.

Personal data obtained by our Company through camera recordings may only be transferred to legally authorized public institutions and organizations if it is subject to litigation, in accordance with the conditions and purposes of processing personal data specified in Article 8 of the KVKK and the basic principles stipulated in the relevant law.

12.2) STORAGE OF RECORDS REGARDING INTERNET ACCESS PROVIDED TO OUR COMPANY VISITORS

Our Company may provide internet access to Visitors upon request during their stay in the building. In this case, log records regarding your internet access are kept in accordance with Law No. 5651 and the legislation issued pursuant to this Law. These records are used by our Company to ensure security and;

Realization, Planning and Execution of Activities/Developments and Analyses Regarding Access to Systems,

Planning and Execution of Information Technology Processes and Data Security Activities,

Protection of the Company Against Legal and Criminal Liability,

It is processed for the purposes of carrying out the activities in accordance with the legislation.

Only the company’s IT department has access to the logs obtained within this framework. Company employees with access to these records are permitted to access them only for the purposes of requests from authorized public institutions and organizations or for auditing purposes, and they share them with legally authorized individuals. A limited number of individuals with access to these records agree to maintain the confidentiality of the data they access through confidentiality agreements.

However, the software developer can access the system to troubleshoot issues or make improvements. Therefore, a “data processing agreement” has been signed with the developer to ensure the security of your personal data.

12.3) PROCESSING OF PERSONAL DATA COLLECTED THROUGH COOKIES ON THE WEBSITE

We use cookies on our website, located at “https://www.rysrota.com,” to improve the functionality and usability of our website and to make your time on our website more productive and enjoyable. We may process your personal data through cookies on our website.

If you do not want your personal data to be collected and processed through cookies, you can reject cookies on our website. We would like to remind you that if you reject cookies, our websites may not function properly and may cause disruptions in the display or delivery of services.

However, it is important to note that, unless otherwise stated on the site, the data collected are anonymous user cookies that do not constitute personal data.

For detailed information about the cookies we use on our website, you can review the Cookie Policy published on the relevant site.

13) RIGHTS OF THE DATA OWNER AND EXERCISE OF THESE RIGHTS

Our company informs the personal data owner of their rights in accordance with Article 10 of the KVKK and guides the personal data owner on how to exercise these rights.

13.1) RIGHTS OF THE PERSONAL DATA OWNER

Pursuant to Article 11 of the Personal Data Protection Law, data owners have the following rights against our company:

Learning whether personal data is being processed,

To request information regarding the processing of personal data,

To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

Knowing the third parties to whom personal data is transferred, either domestically or abroad,

To request correction of personal data if it is processed incompletely or incorrectly and to request that the action taken in this context be notified to third parties to whom personal data has been transferred,

To request the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though they have been processed in accordance with the provisions of the Law and other relevant laws, and to request that the action taken within this scope be notified to third parties to whom personal data has been transferred,

To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,

To request compensation in case of damages due to unlawful processing of personal data.

13.2) CASES WHERE THE PERSONAL DATA OWNER CANNOT EXERCISES HIS RIGHTS

Personal data owners cannot assert their rights listed above in these matters, as the following situations are excluded from the scope of the KVKK, in accordance with Article 28 of the KVKK:

Personal data is processed by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that obligations regarding data security are complied with.

Processing of personal data by making it anonymous with official statistics for purposes such as research, planning and statistics.

Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.

Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.

Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

In accordance with Article 28/2 of the KVKK, personal data owners cannot assert their other rights listed under section 13.1 of this Policy, except for the right to demand compensation for damages, in the following cases:

Processing personal data is necessary for the prevention of crime or criminal investigation.

Processing of personal data made public by the person concerned.

The processing of personal data is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law.

Processing of personal data is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters.

13.3) PERSONAL DATA OWNER’S EXERCISE OF HIS RIGHTS

Personal data owners may submit their requests regarding their rights listed under section 13.1 of this policy to our Company free of charge, in accordance with the “Communiqué on the Procedures and Principles of Application to the Data Controller”, using one of the methods specified below:

By filling out and signing the petition clearly stating their requests or the “Data Owner Application Form” which they can obtain from our company or our company’s website, and by applying in person to the address of RYS Rota Construction Metal Construction Systems Industry and Trade Limited Company (RYS Rota) “Saray Mah. Keresteciler Sanayi Sitesi. 15. Sokak No:25 Kazan / ANKARA”,

By filling out and signing the petition clearly stating their requests or the “Data Owner Application Form” which they can obtain from our company or our company’s website, and by notifying the same via a notary or registered letter with return receipt to the address of RYS Rota İnşaat Metal Yapı Sistemleri Sanayi ve Ticaret Limited Şirketi (RYS Rota) “Saray Mah. Keresteciler Sanayi Sitesi 15. Sokak No:25 Kazan / ANKARA”,

By filling out and signing the petition clearly stating your requests or the “Data Owner Application Form” which you can obtain from our company or our company’s website, and by sending it to the e-mail address “info@rysrota.com” using the e-mail address you have previously provided to us and which is registered in our system.

By sending a petition clearly stating their requests or the “Data Owner Application Form”, which they can obtain from our company or our company’s website, signed with a “secure electronic signature” as defined in the Electronic Signature Law No. 5070, to our Company’s Registered Electronic Mail address rysrota@hs03kep.tr

In applications to be made by third parties on behalf of the data owner, a copy of the notarized power of attorney must be sent to us along with this form. In applications to be made on behalf of children under custody/guardianship, a copy of the documents proving the custody/guardianship relationship (such as a document showing that the data owner is the parent/guardian) must be sent to us along with this form.

13.4) OUR COMPANY’S RESPONSIBILITY TO APPLICATIONS

If a personal data subject submits a request to our Company regarding the rights listed under Section 13.1 of this Policy in accordance with the procedure, our Company will respond to the request as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. While your requests will generally be processed free of charge by our Company, if responding to your request requires additional costs, a fee may be charged in the amounts determined by relevant legislation.

To ensure the security of your personal data, RYS Rota Construction Metal Construction Systems Industry and Trade Limited Company (RYS Rota) may contact you within seven (7) days of receiving your request for information and may request certain information and documents from you to verify your data ownership. Any information and documents you provide to us in this context will be destroyed by us immediately following confirmation of your data ownership.

If the requested information and documents are incomplete, the information and documents must be completed and submitted to us upon our request. The thirty (30) day period stipulated in Article 13/2 of the Personal Data Protection Law for processing the request will be suspended until the information and documents are fully submitted to us.

13.5) PERSONAL DATA OWNER’S RIGHT TO FILE A COMPLAINT TO THE PERSONAL DATA PROTECTION BOARD

In accordance with Article 14 of the KVKK, if the application is rejected, the response is found insufficient or the application is not responded to in a timely manner, the personal data owner may file a complaint with the Personal Data Protection Board within 30 (thirty) days from the date of learning about our Company’s response and, in any case, within 60 (sixty) days from the date of application.

14) ENFORCEMENT OF THE POLICY

The effective date of this Policy is September 30, 2020. If the entire Policy or certain articles are renewed, the effective date of the Policy will be updated.

This Policy is published on RYS Rota’s website (https://www.rysrota.com) and is made available to the relevant persons upon request of personal data owners.

15) IDENTITY OF THE DATA CONTROLLER

COMPANY: RYS Rota Construction Metal Building Systems Industry and Trade Limited Company

MERSİS NO:

CONTACT LINK: https://www.rysrota.com/iletisim/

ADDRESS: Saray Neighborhood, Lumberjacks Industrial Site, 15th Street No:25, Kazan / ANKARA

E-MAIL: info@rysrota.com

PHONE NO: 0 (312) 815 22 41