privacy and
data protection terms

  1. 1. PURPOSE, SCOPE AND DATA CONTROLLER

This Privacy and Personal Data Protection Terms (“Terms”) sets out the principles, which are accepted by Eku Fren ve Döküm San. A.Ş (shall be referred to as “Company” or “Data Controller”) with respect to the protection of personal data, determines the personal data processing principles with respect to the processing of personal data of Visitor, Customer, Potential Customer, Supplier, Supplier Employee, Potential Employee, and Online Visitor (“Data Subject Groups”) and aims to inform such Data Subject Groups according to Personal Data Protection Law numbered 6698 (“Law numbered 6698”).

The data controller for the processing of the data is Eku Fren ve Döküm San. A.Ş. The contact de-tails of Eku Fren ve Döküm San. A.Ş are as follows:
Postal address: Tosb OSB 1. Cad. No:13 Çayırova /Kocaeli
Telephone: (+90) 262 658 10 10
E-mail: info@eku.com.tr

Eku Fren ve Döküm San. A.Ş. has appointed a Data Protection Officer to ensure that we continu-ously process your personal data in an open, accurate and legal manner. You can contact our Data Protection Officer via the following contact details:
E-mail: kvkk@eku.com.tr

  1. 2. PRINCIPLES REGARDING PROCESSING OF PERSONAL DATA

We, the Company, as the Data Controller, process your personal data under the below principles.

2.1 Processing in accordance with Law and Rule of Fairness

The principles brought with legal regulations and the general trust and fairness rule are complied with in respect of processing your personal data. According to this principle, while we, as the Data Controller try to reach our personal data processing purposes, we take into consideration your interest and reasonable expectations, do not abuse our rights, and act in compliance with the principle of transparency in respect of our actions.

2.2 Ensuring that the Personal Data Are Correct and, When Necessary, Up-to-Date

In line with this principle, which emphasizes the importance of the accuracy and up-to-dateness of your personal data, periodical controls, and updating are made to ensure that the personal data, which is processed, is accurate and up-to-date, and in this respect necessary measures are taken by taking into consideration your legitimate interests. To this effect, systems, which are aimed to check the accuracy of the personal data and to make the necessary corrections, are established within the Company. Furthermore, the accuracy of the resources, from which the personal data are collected, is checked and requests, which arise due to inaccuracy of personal data, are taken into consideration. Therefore, this principle is applied in harmony with your right to request correction of the personal data, to which you are entitled under the Law numbered 6698.

2.3 Being Processed for Specified, Explicit, and Legitimate Purposes

Your personal data are processed based on explicit, specified, and legitimate data processing purposes. In this respect, we ensure that our personal data processing activities are clearly comprehensible by the data subject and we determine and explicitly set forth the purposes of the personal data processing activities in clauses 5 and 7 of this Terms.

2.4 Being Relevant, Limited and Proportioned to the Purposes for Which They Are Processed

Your personal data are processed in a manner, which is proportioned, relevant and limited to the envisioned processing purpose(s) and the processing of personal data, which are not relevant to achieving the(se) purpose(s) or are not needed, is avoided. Again, under this principle, personal data are not collected or processed for purposes, which do not exist and are deemed to occur later.

2.5 Being Stored for the Period Set Forth by the Legislation or the Period Required for the Purpose for Which They are Processed

Your personal data are stored only for the period, which is set forth by the relevant legislation or is required for the purpose for which they are processed. For this, we, as the Data Controller, take and apply the organizational and technical measures. In this respect, we firstly determine whether a period of time is foreseen by the relevant legislation for the storing of personal data and if a period is determined, we comply with such period of time and if a period of time is not determined, the personal data are stored for the period, which is required for the purpose, for which they are processed. In the event of expiry of the period or that the reasons for processing cease to exist, if there is not any legal basis, which allows for data to be processed for a longer period of time, your personal data is erased, destructed, or anonymized according to the personal data protection legislation.

  1. 3. CONDITIONS FOR PROCESSING PERSONAL DATA

Your personal data may be processed by the Company under the conditions set forth below.

3.1 Being Expressly Provided for In the Laws

The fundamental rule is that the personal data cannot be processed without the explicit consent of the data subject, but according to this exception, your personal data may be processed in the event the processing of personal data is explicitly provided for in the laws.

3.2 Explicit Consent of the Data Subject Cannot Be Taken Due to Actual Impossibility

Your personal data may be processed to protect the life of the data subject or any other person, if the data subject is unable to express his/her consent due to an actual impossibility or the data subject’s consent cannot be deemed valid. In this respect, it is foreseen that in cases, where the consent cannot be expressed or is not valid, on the condition that it is mandatory to protect the life or bodily integrity of persons, personal data may be processed.

3.3 Being Directly Related to the Establishment or Performance of a Contract

On the condition that it is directly related to the establishment or performance of a contract, your personal data may be processed if the processing of the personal data of the parties to the contact is required. Based on this condition, in the event the personal data of the parties are processed for the performance of the obligations under a valid contract, explicit consent shall not be required.

3.4 Performance by the Company of its Legal Obligation

If the processing is mandatory in order to fulfill the legal obligations as a Data Controller, your personal data may be processed.

3.5 Personal Data Is Made Public

If your personal data is made public by yourself; in other words, if they are disclosed to the public by you, they may be processed. In such case, it is deemed that the legal interest, which is required to be protected, is deemed cease to exist.

3.6 Data Processing Is Mandatory for Establishment, Exercise or Protection of a Right

Your personal data may be processed if data processing is mandatory for establishment, exercise or protection of a right.

3.7 Processing Based on Legitimate Interests

If data processing is required for the legitimate interests of the Company, your personal data may be processed. In this respect, the Company may process personal data for the purposes such as promotion of employees, raise in the salaries of the employees or regulating the social benefits of the employees on the condition that the fundamental rights and freedoms of the employee are not violated. On the other hand, even in such cases, the fundamental principles with respect to the protection of personal data shall be complied with and the balance of interests of the data subject shall be respected.

3.8 Processing Based on Explicit Consent

Although the main rule is that the personal data is processed based on explicit consent, in the event the other conditions set forth in this clause exist, the explicit consent of the data subject is not sought. Otherwise, it will be an abuse of right. In this respect, your personal data is processed based on explicit consent if they are not processed based on one of the conditions, which are set forth in this Terms.

  1. 4. CATEGORIZATION OF PERSONAL DATA
Data Subject
Data Category

Customer

ID Data, Financial Data, Legal Transaction Data, Visual and Auditory Data, Transaction Security Data, Physical Security Data, Contact Data, Marketing Data, Customer Operation Data

Potential Employee

ID Data, Physical Security Data, Contact Data, Personal Data, Professional Experience Data

Potential Customer

ID Data, Visual and Auditory Data, Transaction Security Data, Physical Security Data, Contact Data, Marketing Data

Visitor

ID Data, Contact Data, Physical Security Data, Health Data, HES Code Data

Supplier /Business Partner Representative

ID Data, Contact Data, Legal Transaction Data, Financial Data, Transaction Security Data

Supplier /Business Partner Employee

ID Data, Legal Transaction Data, Transaction Security Data, Physical Security Data, Contact Data, Health Data, Personal Data, Professional Experience Data

Online Visitor

ID Data, Contact Data, Process Security Data

  • 5. PURPOSES OF PROCESSING PERSONAL DATA

Personal data may be processed in the Company in accordance with the personal data processing conditions, which are set forth in articles 5 and 6 of the Law numbered 6698, based on the group of the data subject.

5.1 CUSTOMER

Purposes Of Processing
Personal Data

Have the data subjects benefit from the products and services which are pro-vided by the company

ID Data, Operational Data, Contact Data, Customer Operation Data, Marketing Data

Pursuing contract processes and legal claims

ID Data, Financial Data, Legal Transaction Data, Visual and Auditory Data, Contact Data, Customer Operation Data

Planning and execution of its operational activities

ID Data, Financial Data, Legal Transaction Data, Visual and Auditory Data, Transaction Security Data, Contact Data, Customer Operation Data, Physical Security Data, Marketing Data

Carrying out financial and accounting works

ID Data, Financial Data, Legal Transaction Data, Customer Operation Data

Conducting customer relations processes and planning and execution of the customer satisfaction processes of the company

ID Data, Contact Data, Customer Operation Data, Marketing Data

Pursuing customer requests and/or complaints

ID Data, Contact Data, Customer Operation Data

Planning of information security; establishing and management of and audit and execution of information technologies infrastructure

ID Data, Transaction Security Data, Contact Data

5.2 POTENTIAL EMPLOYEE

Purposes Of Processing
Personal Data

Processes of procurement of personnel

ID Data, Contact Data, Personnel Data, Professional Experience Data

Planning and execution of human resources processes and interests

ID Data, Contact Data, Personnel Data, Professional Experience Data

Fulfilling the obligations arising from the legislation

ID Data, Contact Data, Personnel Data, Professional Experience Data, Transaction Security Data, Physical Security Data

5.3 POTENTIAL CUSTOMER

Purposes Of Processing
Personal Data

Have the data subjects benefit from the products and services which are provided by the company

ID Data, Operational Data, Contact Data, Customer Operation Data, Marketing Data

Planning and execution of its operational activities

ID Data, Financial Data, Legal Transaction Data, Visual and Auditory Data, Transaction Security Data, Operational Data, Contact Data, Customer Operation Data, Physical Security Data, Marketing Data

Conducting customer relations processes and planning and execution of the customer satisfaction processes of the company

ID Data, Contact Data, Customer Operation Data, Marketing Data

Planning of information security; establishing and management of and audit and execution of information technologies infrastructure

ID Data, Transaction Security Data, Contact Data

5.4 VISITOR

Purposes Of Processing
Personal Data

Provision of security of buildings and facility premises and/or facilities

ID Data, Contact Data, Physical Security Data, Health Data, HES Code Data

Creating and following up visitor logs

ID Data, Contact Data, Physical Security Data

Provision of security of its fixtures and/or its resources

ID Data, Contact Data, Physical Security Data

Provision of technical and commercial-occupational security

ID Data, Physical Security Data

Provision of security of company operations

ID Data, Physical Security Data

Provision of information, which arises from the legislation, to authorized institutions and organizations

Physical Security Data

5.5 REPRESENTATIVES OF SUPPLIERS / BUSINESS PARTNERS

Purposes Of Processing
Personal Data

Have the data subjects benefit from the products and services, which are provided by the company

ID Data, Contact Data, Legal Transaction Data, Financial Data, Transaction Security Data

Carrying out the necessary works, which are necessary to realize the commercial activities, which are carried out by the company, and conducting the business processes related thereto

ID Data, Contact Data, Legal Transaction Data, Financial Data, Transaction Security Data

5.6 EMPLOYEES OF SUPPLIERS / BUSINESS PARTNERS

Purposes Of Processing
Personal Data

Purposes of planning and execution of human resources processes

ID Data, Contact Data, Health Data Legal Transaction Data, Physical Security Data Personnel Data, Professional Experience Data, Transaction Security Data

Carrying out personnel processes

ID Data, Contact Data, Health Data Personnel Data, Professional Experience Data

Fulfilling the obligations arising from the legislation

ID Data, Contact Data, Health Data Legal Transaction Data, Physical Security Data Personnel Data, Professional Experience Data, Transaction Security Data

Carrying out the necessary business processes in order to have the data subjects benefit from the products and services, which are provided by the company

ID Data, Contact Data

Carrying out the necessary works, which are necessary to realize the commercial activities, which are carried out by the company and carrying out the works, which are necessary in order to benefit from the products and services, which are provided by the company

ID Data, Contact Data

5.7 ONLINE VISITOR

Purposes Of Processing
Personal Data

Conduct of marketing analysis works, the conduct of advertisements / campaigns / promotions’ processes

ID Data, Contact Data, Process Security Data

The conduct of communication activities

ID Data, Contact Data, Process Security Data

The conduct of product and services development works

ID Data, Contact Data, Process Security Data

Carrying out legal obligations

ID Data, Contact Data, Process Security Data

  • 6. TRANSFER OF PERSONAL DATA

Your personal data may be transferred within the scope of principles and purposes set forth in clauses 3 and 5 of this Confidentiality and Personal Data Protection Terms under the conditions for, and for the purposes of, processing personal data set forth in articles 8 and 9 of the Law numbered 6698 in a limited capacity to our group companies, business partners, suppliers, legally authorized public authorities and legal entities in the country or abroad.

  • 7. METHOD AND LEGAL BASIS OF COLLECTION OF PERSONAL DATA

Depending on the Data Subject Group, your personal data transferred electronically to the Company are processed as follows.

7.1 CUSTOMER

Personal data of the Customers are processed on the legal bases that “processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract”, “it is necessary for compliance with a legal obligation to which the data controller is subject” and “processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” set forth in article 5 of the Law numbered 6698, in physical or electronic media, by automated means as part of a data recording system through written or verbal data transfer tools by way of being received either directly from the person or third persons.

7.2 POTENTIAL CUSTOMER

Personal data of the Potential Customers are processed on the legal bases of “personal data have been made public by the data subject himself/herself”, “data processing is necessary for the establishment, exercise or protection of any right”, “processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject”, set forth in article 5 of the Law numbered 6698, in physical or electronic media, by automated means as part of a data recording system through written or verbal data transfer tools by way of being received either directly from the person or third persons.

7.3 POTENTIAL EMPLOYEE

Personal data of the Potential Employee are processed on the legal bases of “processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract” in terms of the employment agreement which may be established, “it is necessary for compliance with a legal obligation to which the data controller is subject” and “processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject”, set forth in article 5 of the Law numbered 6698 by filling out an application form in electronic medium, by filling out a physical form by automated means as part of a data recording system through written or verbal data transfer tools by way of being received either directly from the person or third persons.

7.4 VISITOR

Personal data of the Visitors are processed on the legal bases that “it is necessary for compliance with a legal obligation to which the data controller is subject” and “processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” set forth in article 5 of the Law numbered 6698, by automated means or by non-automated means as part of a data recording system by way of recording visuals via security cameras located in various locations in our service building and via other information obtained from you during your entries.

7.5 REPRESENTATIVES OF SUPPLIERS / BUSINESS PARTNERS

Personal data of Representatives of the Suppliers / Business Partners are processed on the legal bases that “processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract”, “it is necessary for compliance with a legal obligation to which the data controller is subject” and “processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” set forth in article 5 of the Law numbered 6698 in physical or electronic media, by automated means as part of a data recording system through written or verbal data transfer tools as part of the data recording system by way of being received either directly from the person or third persons.

7.6 EMPLOYEES OF SUPPLIERS / BUSINESS PARTNERS

Personal data of Employees Of Suppliers / Business Partners are processed on the legal bases that “processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract”, “it is necessary for compliance with a legal obligation to which the data controller is subject” and “processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” or by obtaining explicit consent set forth in articles 5 and 6 of the Law numbered 6698 in physical or electronic media, by automated means as part of a data recording system through written or verbal data transfer tools as part of the data recording system by way of being received either directly from the person or third persons

7.7 ONLINE VISITOR

Personal data of Online Visitors are processed on the legal bases of “processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject” and “it is necessary for compliance with a legal obligation to which the data controller is subject” set forth in article 5 of the Law numbered 6698 by automated means.

  • 8. SECURITY OF PERSONAL DATA

The Company takes reasonable measures to prevent unauthorized access risks, data losses by accident, deliberate deletion of data or data from being damaged for the purpose of ensuring the security of the personal data and prevention of unlawful processing thereof.

All reasonably required technical and physical measures are taken to prevent persons other than those who are authorized to access personal data from accessing personal data. In this context, especially the authorization system is set up in a way which makes it impossible for persons and systems to access more personal data than it is necessary.

The Company carries out the required audits and has such audits carried out in its institutions and establishments for the purpose of execution of the provisions of the Law numbered 6698.

  • 9. UNDERTAKINGS IN RELATION TO THIRD PARTY PERSONAL DATA

The Data Subject Group accepts and consent that personal data in relation to 3rd Persons transferred by the Data Subject Group may be processed by the Company. The relevant Person Group also undertakes that it has informed as required in line with the Law numbered 6698 in relation to the transferred persons and information and that it has obtained the consents. Otherwise, the relevant Person Group shall be liable for the damages arising.

  • 10. PERSONAL DATA STORAGE PERIOD

The retention periods and legal basis of personal data processed by the Company are followed:

Process
Storage Period
Expire Period

Log Recording Tracking Systems

2 years

At the first periodic disposal period after the end of the storage period

Security Camera Recordings

60 days

At the first periodic disposal period after the end of the storage period

Execution of visitor and vehicle registration processes

1 year From the end of the visit

At the first periodic disposal period after the end of the storage period

Execution of security minutes preparation processes

1 year

At the first periodic disposal period after the end of the storage period

Execution Of Human Resources Processes

10 years After the end of the legal relationship

At the first periodic disposal period after the end of the storage period

Execution of Occupational Health and Safety Processes

15 years After the end of the legal relationship

At the first periodic disposal period after the end of the storage period

Planning and Execution of Processes of Sub-employer Employee

10 years After the end of the legal relationship

At the first periodic disposal period after the end of the storage period

Planning and execution of recruitment processes

1 year

At the first periodic disposal period after the end of the storage period

Execution Of Internship Processes

5 years

At the first periodic disposal period after the end of the storage period

Personal data related to employee relatives processed for execution and planning of business processes

10 years, during the legal relationship period or from the end of the legal relationship

At the first periodic disposal period after the end of the storage period

Execution Of Customer Satisfaction Processes

10 years From the beginning of the relevant statute of limitations

At the first periodic disposal period after the end of the storage period

Execution of the processes of establishment and execution of contracts

10 years After the end of the legal relationship

At the first periodic disposal period after the end of the storage period

Execution and Follow-up of Quality Control Analysis processes

10 years

At the first periodic disposal period after the end of the storage period

Execution Of Product Control Processes

3 years

At the first periodic disposal period after the end of the storage period

Execution Of Quality Control Processes

5 years

At the first periodic disposal period after the end of the storage period

Execution of follow-up processes of Finance and accounting works

10 years After the end of the legal relationship

At the first periodic disposal period after the end of the storage period

Execution Of Marketing Processes

3 years After the end of the legal relationship

At the first periodic disposal period after the end of the storage period

Execution Of Follow-Up Processes Of Legal Affairs

10 years From the conclusion of the trial

At the first periodic disposal period after the end of the storage period

Execution Of Other Business Processes

10 yıl From the beginning of the relevant statute of limitations

At the first periodic disposal period after the end of the storage period

  • 11. YOUR RIGHTS

You have the following rights:

Right of access: You have the right to access to and obtain information regarding your personal data Company may hold, and how Company use your personal data; to request a copy of any of your personal data from Company hold about you. You may see most of your personal data yourself online.

Right of rectification: You have the right to complete your Personal Data whenever they are incom-plete and to request Company to rectify your personal data which whenever they are inaccurate. You may also prefer to correct or complete your Personal data directly by modifying your profile via website/app of Company. Please note that, you will be liable for any loss or damage caused to Com-pany or to the person responsible for the Company by reporting erroneous, inaccurate or incomplete information in the registration forms.

Right to erasure: You have the right to request the deletion or destruction of your personal data where your personal data is no longer necessary for the purposes they were collected for.

Right to restriction: You have the right to request the restriction of the processing of your personal data for so long as we are considering any request you have made to us to correct or complete your personal data, or you have objected to processing justified on legitimate interests. If you use your right to restriction, we will only process it with your consent or for the establishment, exercise or defense of legal claims

Right to data portability: You have right to receive the personal data you will provide to us in a structured, commonly-used and machine-readable, and also to transmit them to another controller whenever the processing is based on consent or on a contract and is carried out by automated means.

Right to withdrawal of consent: Where applicable, you have the right to withdraw your consent at any time.

Right to object: You may object to the processing of your personal data based on the public or legit-imate interest pursued by Company, including profiling. In this case, Company will stop to process your personal data, except for compelling legal grounds or the exercise or defense of possible legal claims.

Automated individual decisions: You have the right not to be the object of a decision based solely on automated processing, including profiling, while produces a legal effect on you or significantly affects you in a similar manner. However, it will not be possible to exercise said right in cases where the decision is necessary for the formalization or execution of a contract between you and Compa-ny; it is authorized by the law applicable to Company provided it establishes the appropriate measures to safeguard its rights, freedoms and legitimate interests; or where it is based on your ex-plicit consent.

Right to lodge a complaint: You have the right to lodge a complaint with a data protection authority if you consider that the processing of your personal data infringes applicable law.

  • 12. PROCEDURES AND PRINCIPLES FOR APPLICATION

As data subject, you may make a submission in relation to your requests regarding your rights in article 11 of the Law numbered 6698, in line with the procedures and principles in the Data Subject Application Form, by filling out the relevant form and sending it a message to our REM address ekufren@hs02.kep.tr or with your e-mail address registered in your system sent to kvkk@eku.com.tr or with a message sent with a secure e-signature, by a written application bearing signature made in person or via notary to our address Tosb OSB 1. Cad. No:13 Çayırova /Kocaeli. The Company will conclude the application made by you as soon as possible depending on the nature of the request and at the latest within thirty days free of charge. However, in case the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by the Company.

In this context, as the data subject, you have the following rights;

  • To learn whether your personal data is processed or not,
  • To demand for information as to if your personal data have been processed,
  • To learn the purpose of processing of your personal data and whether these personal data are used in compliance with such purpose,
  • To know the third persons to whom personal data were transferred in the country or abroad,
  • To request the rectification of the incomplete or inaccurate data, if any,
  • To request the erasure or destruction of your personal data,
  • To request the notification to third persons to which personal data were transferred,
  • To object to the occurrence of a result against himself/herself by analyzing of the data processed solely through automated systems,
  • To claim compensation for the damage arising from the unlawful processing of your personal data.