GDPR Policy
1. Introduction of the Data Controller and this Privacy Notice 4
2. Contact Information 5
3. How Do We Collect Your Personal Data? 5
4. Which Personal Data Do We Collect and Process? 5
5. Why Do We Process Your Personal Data and What Is the Legal Basis for This Use (purpose of the processing)? 6
6. To Whom, Why and Where We Transfer Your Personal Data? 7
7. How long will you retain my data? 8
8. Principles relating to personal data privacy 8
9. Use of cookies 8
10. Use of Digital Platforms 8
11. Use of CCTV (Closed Circuit Television) 8
12. What are Your Rights as Data Subjects? 8
13. The right to object to processing of personal data (Article 21 of the GDPR) 9
14. Data security 10
15. Changes to this Privacy Notice 10
• PRIVACY NOTICE
This document is the property of the Canel Alüminyum Profil Sanayi ve Ticaret Anonim Şirketi; It may contain confidential or restricted information. If you are not an authorized purchaser, please return this document to the authorized owner. It is strictly forbidden to disseminate, distribute, copy or use this document, in whole or in part, by anyone other than the permitted recipient, without the prior written consent of the Canel Alüminyum Profil Sanayi ve Ticaret Anonim Şirketi.
1. Introduction of the Data Controller and this Privacy Notice
As a data controller, Canel Otomotiv Sanayi ve Ticaret Anonim Şirketi (hereinafter referred to as “Yeşilova Holding – Canel”, “Company”, “Yeşilova” or “We”), pays the utmost attention to the lawfulness of the processing of personal data of its customers. We have prepared this Yeşilova GDPR Privacy Notice (“Privacy Notice”) on the protection and the processing of personal data, in order to ensure compliance with the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
The security of our customers’ personal data is at the forefront of our work. Therefore, in order to prevent any unlawful access to personal data or leak and to ensure the secure retention of personal data relating to our customers, such data are only transferred to trusted business partners and on a minimum level, by taking necessary security measures in accordance with the legislation in force.
Transparency is one of the most important subjects of our personal data protection program. In this respect, We have prepared this Privacy Notice in order to provide our customers with all necessary information while We are processing personal data, e.g. for the purposes of compliance with our legal obligations and to ensure a better customer experience. Detailed information regarding the types of personal data and the purposes for processing personal data are detailed under section 5 of this Privacy Notice.
Another subject that We also pay close attention to is customers’ right to have control over their personal data. We implement measures to ensure that our customers manage their preferences regarding their own personal data and highly respect our customers preferences. This Privacy Notice also describes your data protection rights, including a right to object to specific processing activities which YEŞİLOVA HOLDİNG carries out. More information about your rights, and how to exercise them, is set out in the “What are Your Rights as Data Subjects?” section.
In summary, data security, transparency and individuals’ right to have control over their personal data are fundamentals for us in ensuring compliance with the GDPR.
This Privacy Notice contains our declarations and explanations concerning the processing of personal data relating to our customers and other natural persons establishing contact with us, excluding our employees, in compliance with the provisions of the GDPR.
This Privacy Notice is prepared in order to provide information concerning which personal data Yeşilova processes within the scope of its commercial activities, the purposes for processing, the parties to whom personal data are transferred and the purposes for such transfers.
This policy also; Canel Otomotiv Sanayi ve Ticaret Anonim Şirketi provides personal data in accordance with the national law and the methods and principles to be followed to ensure that personal data is processed and protected in accordance with the Personal Data Protection Law (KVKK) published in the Official Gazette dated 7 April 2016 and numbered 29677.
Ref: https://www.canelotomotiv.com.tr/tr/kisisel-verileri-koruma-politikasi
2. Contact Information
If you have any concerns about how We process your data, or if you would like to opt-out of direct marketing, based on the laws applicable to you can reach out to:
YEŞİLOVA HOLDİNG – CANEL:
+90 224 267 0 600
Ovaakça Factory: İstanbul Cd. NO: 648, 16335 Osmangazi/Bursa – Türkiye
Hasanağa Factory: Hasanağa OSB Mah. 12. Cad, No: 4/2 Nilüfer, Bursa, Türkiye
3. How Do We Collect Your Personal Data?
This section covers the source of information and the channels through which personal data are collected:
• Call center, offices, requests and complaints, employee and guest checkpoints, surveys, fairs and events; orally, in writing or electronically, in whole or in part, by automated or non-automatic means.
• Yeşilova Enterprise Resource Planning Program website and mobile applications.
• Agencies authorized to sell Yeşilova products and services and sales channels on the web, social media, passenger and customer conversations, SMS channels, business intelligence, contracted merchants, business/program partners and other airlines; in verbal, written or electronic form, wholly and partly by automated and non-automated means.
• If you request to receive service from these channels: The website located at yesilova.com.tr (“Website”); software and applications provided through computers or other smart devices (“Application”); social media accounts administered by persons authorized to provide services on behalf of Yeşilova, instant messaging applications that mediate the service provided by Yeşilova such as WhatsApp Business, Telegram and all other digital channels, which shall be referred to together as “Digital Environments”.
4. Which Personal Data Do We Collect and Process?
Personal data processed by our Company differ in accordance with the nature of the legal relationship established with our Company. In this respect, categories of personal data collected by our Company through all channels, including Digital Environments, are as follows:
• Identity and Contact Information: Personal data such as name, surname, official identification number, passport information and contact information (such as e-mail address), telephone and mobile phone number or social media contact information that you provide to us when creating an account, employee candidate, employee, potential to make customer, customer, supplier agreements or to apply for the privileged services offered by YEŞİLOVA HOLDİNG and its partners.
• Customer Process Information (personal data recorded for the purpose of ensuring business continuity and other changes attributable to an individual regarding an instruction or request.)
• Process Security Information (Website password, log records, etc. given while benefiting from the products and services offered.)
• Risk Management Information (Such as the results and records of various inquiries made by public institutions regarding the data owner, records of security checks, address registration system records, IP tracking records.)
• Request/Complaint Management Information (such as information and records collected in relation with requests and complaints concerning our products or services and information contained within reports regarding the conclusion of such requests by our business units).
• Financial Information (bank account information, IBAN information, balance information, credit balance information and other financial information.)
• Physical Environment Security Information (entry/exit logs in Company’s physical environments, visit information, camera records.)
• Legal Procedure and Compliance Information (information provided within information requests and decisions of judicial and administrative authorities.)
• Audit and Inspection Information (information relating to all kinds of records and processes concerning the exercise of our legal claims and rights associated with the data subject.)
• Visual Information (photographs, camera.)
5. Why Do We Process Your Personal Data and What Is the Legal Basis for This Use (purpose of the processing)?
We process your personal data for the following purposes:
To fulfil a contract, or take steps linked to a contract We have with you. (According to Art. 6/(1), Subparagraph 1(b) GDPR) This includes:
• Determining and implementing our institution’s strategies and ensuring the execution of our company’s human resources policies,
• In line with the aim of ensuring the execution of human resources policies; Providing suitable personnel for open positions in accordance with human resources policies, carrying out human resources operations in accordance with human resources policies and fulfilling obligations and taking necessary measures within the framework of Occupational Health and Safety,
• In line with the purpose of fulfilment of the services offered by our institution by the relevant business units; independent auditing, accounting services and consultancy etc. carried out by our institution. performance of services,
• Administrative operations for communication, auditor independence, risk management and quality control purposes carried out for the purpose of ensuring the legal and commercial security of our institution and the people who have business relations with our institution,
• Relationship management, account management, internal financial reporting, provision of information technology (IT) services (storage, hosting, maintenance, support, use of central distributed server system are also included in this scope)
• Yeşilova Holding – Canel processes and operations carried out for the purpose of determining and implementing commercial and business strategies, financial operations, communication, market research and social responsibility activities, execution of purchasing operations (request, offer, evaluation, order, budgeting, contract).
• Determination and implementation of YEŞİLOVA HOLDİNG commercial and business strategies, internal system and application management,
• Planning, auditing and execution of information security processes, creation and management of information technologies infrastructure,
• Planning and execution of employee satisfaction and/or loyalty processes, planning and execution of fringe rights and benefits for employees, planning and execution of employees’ access to information authorizations, monitoring and/or auditing of employees’ work activities,
• Following up financial and/or accounting and legal affairs,
• Planning and execution of market research activities for sales, marketing and/or promotion of business activities and services,
• Planning and execution of information access authorizations of business partners and/or suppliers, management of relationships with business partners and/or suppliers,
• Planning and execution of corporate communication activities, planning and/or execution of corporate risk management activities, planning and execution of corporate sustainability activities, planning and execution of corporate governance activities,
• Planning and execution of customer relationship management processes, planning and/or follow-up of customer satisfaction processes, follow-up of customer demands and/or complaints,
• Fulfilling obligations arising from employment contracts and/or legislation for company employees,
• Ensuring the security of company assets and/or resources,
• Planning and execution of external training activities,
• Planning and execution of operational activities necessary to ensure that company activities are carried out in accordance with company procedures and/or relevant legislation,
• Ensuring that the data is accurate and up-to-date,
• Planning and execution of talent-career development activities,
• Providing information regarding legislation to authorized persons and/or organizations,
• Creating and tracking visitor records and ensuring the security of the company campus and facilities.
Withdrawing consent or otherwise objecting:
Wherever We rely on your consent, you will always be able to withdraw that consent, although We may have other legal grounds for processing your data for other purposes, such as those set out above. You have an absolute right to opt-out of profiling, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below.
6. To Whom, Why and Where We Transfer Your Personal Data?
Due to the global nature of our business, We may transfer your personal data to recipients residing in Türkiye or abroad, in accordance with applicable laws.
Recipients that We may transfer your data to can be listed categorically as follows:
• Our business partners or suppliers residing within Türkiye or abroad
• Group companies
• Suppliers
• Authorities and/or law enforcement officials authorized by national or international legislation
Adequacy Decision of the EU Commission, currently:
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
Standard Contractual Clauses: Other recipients;
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
Exceptions under Art. 49 GDPR: Other recipients.
Further information on such transfers or copies of these measures can be obtained via the contact details above.
Third Party Web Sites: Our website may include links to third-party websites, microsites, plug-ins and applications (i.e. kariyer.net) Please note that clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. Therefore, whenever you make use of these links or microsites or when you leave our website, please read the privacy notice of the third party.
7. How long will you retain my data?
Yeşilova Holding – Canel is subject to legal obligations on data retention periods under Turkish law, European Law and depending on the country in which you live or which law applies, national laws of a country (for example, USA, Germany, Italy, Spain, Switzerland, etc.). As Yeşilova Holding – Canel, as a global company, has locations in different countries and the applicable laws change thereafter, the retention periods may therefore vary from country to country.
Your personal data are deleted as soon as they are no longer needed for the specified purposes. However, We must sometimes continue to store your data until the retention periods and deadlines set by the legislator or supervisory authorities, up to 15 years which may arise from the Turkish Commercial Code, Tax Code, Turkish Code of Obligations and depending on other applicable European Laws and national laws of a EU-Country. We may also retain your data until the statutory limitation periods have expired (but up to 15 years in some cases), provided that this is necessary for the establishment, exercise or defence of legal claims. After that, the relevant data are routinely deleted or anonymized.
8. Principles relating to personal data privacy
Our company acts in accordance with the principles stated below in all data processing activities. “Lawfulness, fairness and transparency”, “purpose limitation”, “data minimisation”, “accuracy”, “storage limitation”, “integrity and confidentiality” and “accountability”.
9. Use of cookies
As Yeşilova, We utilize technologies such as cookies, pixels, GIFs (“Cookies”) to improve your user experience during your use of our websites and applications. The use of these technologies is in accordance with the Law and other related regulations that We are subjected to.
For further information regarding cookies, please refer to the Canel Otomotiv Sanayi ve Ticaret Anonim Şirketi Cookie Privacy Notice located at https://canelotomotiv.com.tr/kisisel-verilerin-korunmasi/cerez-politikasi
10. Use of Digital Platforms
Your personal data may be processed while your use of Digital Platforms to manage and operate the Website, to perform activities for optimizing and improving the user experience related to the Website and Application, to detect in what ways the Website is being used, to support and enhance the use of location-based tools, to manage your online accounts and to inform you about the services offered near you.
In case you desire to benefit from the offered product and services, your personal data will be processed only to make you get such product and services.
11. Use of CCTV (Closed Circuit Television)
When you visit our company premises, your visual data may be obtained via CCTV and may be preserved only for a period necessary to fulfill the following purposes. With the use of CCTV, prevention and detection of any criminal act incompatible with the law and company policies, maintaining the security of company premises and equipment located within the premises, protection of visitors’ and workers’ well-being is pursued. All necessary technical and administrative measures will be taken by us regarding the security of your personal data obtained via CCTV.
12. What are Your Rights as Data Subjects?
Under the GDPR you are entitled to the following rights (further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights_en):
• Right to withdraw consent (Art. 7 GDPR)
• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
Under the GDPR or national laws, these rights may be limited, for example if fulfilling your request would reveal personal data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete information which We are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in the GDPR or in applicable national laws. We will inform you of relevant exemptions We rely upon when responding to any request you make.
In order to exercise these rights please contact the above-mentioned contact addresses. Please specify which individual rights according to Art. 15 et seq. you want to exercise. For this purpose, We may have to confirm your identity before responding to your request. Please provide the following details so that We can identify you:
• Name
• Postal address
• E-mail address and optionally: customer number
If you send us a copy of your ID, please black out all other information apart from your first and last name and address. When sending copies of the ID card, it must be clear that this is a copy. Therefore, please make a note on the copy of the ID as following: “This is a copy”.
In order to be able to process your request, as well as for identification purposes, please note that We will use your personal data in accordance with Art. 6 para. 1 (f) of the GDPR as legal obligation.
If you believe that We have failed to comply with data protection regulations when processing your personal data, you can lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR. The competent supervisory authority can be identified according to the list provided under:
https://edpb.europa.eu/about-edpb/board/members_en.
In Germany, the competent supervisory authority is ‘‘Der Hessische Beauftragte für Datenschutz und Informationsfreiheit’’ which can be found under:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
13. The right to object to processing of personal data (Article 21 of the GDPR)
As indicated above, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Article 6 (1) (e) or (f) of the GDPR, including profiling based on those provisions.
We shall no longer process the personal data unless We demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
14. Data security
We take all appropriate technical and organizational measures to safeguard your personal data and to mitigate risks arising in connection with unauthorized access, accidental data loss, deliberate erasure of or damage to personal data.
In this respect our Company;
• Ensures data security by utilizing protection systems, firewalls and other software and hardware containing intrusion prevention systems against virus and other malicious software,
• Access to personal data within our Company is carried out in a controlled process in accordance with the nature of the data and on a strict need-to-know basis,
• Ensures the conduct of necessary audits to implement the provisions of the GDPR, in accordance with Article 32 of the GDPR,
• Ensures the lawfulness of the data processing activities by way of internal policies and procedures,
• Applies stricter measures for access to special categories of personal data,
• In case of external access to personal data due to procurement of outsourced services, our Company obliges the relevant third party to undertake to comply with the provisions of the GDPR,
• It takes necessary actions to inform all employees, especially those who have access to personal data, about their duties and responsibilities within the scope of the GDPR.
15. Changes to this Privacy Notice
We reserve the right to make changes to this Privacy Notice in order to provide accurate and up-to-date information concerning practices and regulations relating to the protection of personal data. Data subjects will be informed by appropriate means in the event of a substantial change to the Privacy Notice.
