Policy On The Processing And Protection Of Personal Data

With regard to the protection of personal data, QUA GRANITE HAYAL YAPI VE ÜRÜNLERİ SANAYİ TİCARET A.Ş. (“QUA GRANITE” or the “Company”) shows utmost sensitivity to the processing of personal data in compliance with the relevant legislation and to ensuring confidentiality and security. QUA GRANITE processes personal data within the mandatory limits set forth by the Law No. 6698 on the Protection of Personal Data (“Law” or “KVKK”), the secondary regulations related thereto, and the decisions of the Personal Data Protection Board.

This Policy has been prepared by the Data Controller in order to fulfill the obligation to inform under Article 10 of the Law and to inform data subjects regarding their rights set forth under Article 11 of the Law.

This Policy provides general information regarding the entirety of personal data processing activities, and separate clarification texts have been prepared for different activities subject to personal data processing in order to inform data subjects. The personal data processed, the purpose of processing personal data, the method of collection and legal basis, and information on to whom and for what purpose such data is transferred are included in the clarification texts specific to the data subjects.

1. PROCESSING OF PERSONAL DATA

QUA GRANITE has adopted the general principles regulated under Article 4 of the Law as its working principle in order to ensure the processing and protection of personal data in compliance with the procedures and principles stipulated by the personal data protection legislation, especially Article 20 of the Constitution.

In addition, this Policy also aims to inform data subjects as transparently as possible regarding their rights and requests set forth under Article 11 of the Law.

1.1. Principles of Processing Personal Data

  • Principle of being compliant with the law and rules of honesty: QUA GRANITE processes the minimum amount of data possible without going beyond the purpose of processing, taking into account the reasonable expectations of data subjects. It takes care to ensure that the data processing activity is transparent for the relevant person and fulfills its obligation to inform.
  • Principle of personal data being accurate and up to date: QUA GRANITE attaches importance to personal data being accurate and up to date. Where necessary, data is updated and its accuracy is verified.
  • Principle of processing personal data for specific, explicit and legitimate purposes: Personal data is processed for definite, explicit and legitimate purposes. QUA GRANITE does not process personal data for any purpose other than the purposes stated to the relevant person.
  • Principle of being relevant, limited and proportionate to the purpose for which they are processed: Data processing activity is limited only to the data that is sufficient and necessary for the realization of the purpose. It avoids data that is not suitable for achieving the purpose and is not needed.
  • Retention of personal data for the period required by the relevant purpose: QUA GRANITE retains personal data only for the periods required by the personal data processing purpose stipulated in the relevant legislation.

1.2. Method of Collecting Personal Data

Your personal data may be collected verbally, in writing or electronically through automatic or non-automatic means, during your physical visit to our Company via security cameras, verbal communication by business units, hand delivery, paper, contracts, data collection forms, e-mail, registered electronic mail (KEP), fax, telephone, website and other similar channels.

During your relationship with QUA GRANITE, your personal data may be processed and may be updated as necessary in order to ensure the accuracy and currency of your data.

1.3. Legal Basis for Processing Personal Data

Pursuant to paragraph 1 of Article 5 of the Law, personal data may not, as a rule, be processed without the explicit consent of the data subject. Explicit consent is obtained by informing the data subject on the relevant matter and receiving such consent through their free will. However, under Article 5 paragraph 2 of the Law, personal data may be processed without seeking the explicit consent of the data subject if one of the following conditions exists:

  • Explicitly provided for by law: Personal data may be processed without obtaining the explicit consent of the data subject where there is an explicit provision in the laws regarding the processing of personal data.
  • Inability to obtain the explicit consent of the relevant person due to actual impossibility: Personal data of the data subject may be processed where it is mandatory to process personal data in order to protect the life or physical integrity of the person or another person who is unable to disclose consent due to actual impossibility or whose consent cannot be deemed legally valid.
  • Being directly related to the establishment or performance of a contract: Personal data may be processed if it is necessary to process the personal data of the parties to a contract, provided that such processing is directly related to the establishment or performance of the contract.
  • Having been made public by the relevant person: Personal data that has been disclosed to the public and made publicly available in any way by the data subject may be processed limited to the purpose of such public disclosure.
  • Data processing being mandatory for the establishment, exercise or protection of a right: Personal data of the data subject may be processed where processing is mandatory for the establishment, exercise or protection of a right.
  • Data processing being mandatory for the legitimate interests of the Data Controller: The Data Controller first determines the legitimate interest that it will obtain as a result of processing personal data and evaluates the possible impact of processing personal data on the rights and freedoms of the data subject, and if it concludes that the balance of interests is not impaired, it carries out the processing activity.

1.4. Processing of Special Categories of Personal Data

QUA GRANITE shows sensitivity in the processing of special categories of personal data since additional measures need to be taken in terms of retention and transfer compared to personal data. Special categories of personal data are data that may cause discrimination or victimization against the relevant person if learned. The special categories of personal data listed exhaustively in Article 6 of the Law are data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and attire, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Pursuant to the Law, the processing of special categories of personal data is prohibited. However, such data may be processed in the following cases:

  • Where the explicit consent of the relevant person exists,
  • Where it is explicitly provided for in laws,
  • Where it is mandatory for the protection of the life or physical integrity of the person or another person, in cases where the person is unable to disclose consent due to actual impossibility or whose consent is not legally valid,
  • Where it relates to personal data made public by the relevant person and is in line with the intention of disclosure,
  • Where it is mandatory for the establishment, exercise or protection of a right,
  • Where it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under an obligation of confidentiality or by authorized institutions and organizations,
  • Where it is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
  • Where it concerns current or former members and affiliates of foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, or persons who are in regular contact with such organizations and formations, provided that it complies with the legislation and purposes to which they are subject, is limited to their fields of activity, and is not disclosed to third parties.

In the processing of special categories of personal data, it is also required that adequate measures determined by the Board be taken. QUA GRANITE implements a policy regarding the processing and protection of special categories of personal data.

1.5. Categories of Processed Data

Under QUA GRANITE, personal and special categories of personal data may be processed within the scope of the data processing conditions specified in Articles 5 and 6 of the Law in the categories listed below. The personal data processed may vary depending on the activity carried out by QUA GRANITE, and data subjects are informed by preparing separate clarification texts for each activity subject to personal data processing.

Categories of Personal Data Processed by QUA GRANITE

  • Identity Information
  • Contact Information
  • Personnel Information
  • Financial Information
  • Professional Experience Information
  • Legal Transaction Information
  • Customer Transaction Information
  • Physical Premises Security Information
  • Information Related to Visual and Audio Records
  • Transaction Security Information
  • Marketing Information
  • Other Information (Family Information, Visitor Information, Vehicle License Plate Information, etc.)

Categories of Special Categories of Personal Data Processed by QUA GRANITE

  • Health Information
  • Information Relating to Philosophical Belief, Religion, Sect and Other Beliefs
  • Information Relating to Criminal Convictions and Security Measures
  • Biometric Data (Fingerprint)

1.6. Data Subjects

This Policy covers all personal data processed fully or partially by automatic means or by non-automatic means provided that they are part of any data recording system, belonging to Board Members, employees, employee candidates, interns, customers, potential customers, visitors, supplier employees and officials, external service providers and other third parties.

1.7. Purposes of Processing Personal Data

Personal data obtained by QUA GRANITE may be processed for the purposes set out in the table below within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law.

Main Purposes Sub-Purposes
Within the Scope of Planning, Developing and Executing Human Resources Policy and Processes
  • Execution of emergency processes
  • Execution of employee candidate / intern selection and placement processes
  • Execution of application processes of employee candidates
  • Execution of employee satisfaction and loyalty processes
  • Fulfillment of obligations arising from employment contracts and legislation for employees
  • Execution of fringe benefits and employee benefits processes
  • Execution of audit / ethics activities
  • Execution of training activities
  • Follow-up and execution of legal affairs
  • Execution of internal audit / investigation / intelligence activities
  • Execution of communication activities
  • Planning of human resources processes
  • Execution of occupational health / safety activities
  • Execution of performance evaluation processes
  • Execution of wage policy
  • Execution of talent / career development activities
Within the Scope of Execution, Planning and Management of Corporate Relations
  • Execution of assignment processes
  • Execution of communication activities
  • Receiving and evaluating suggestions for the improvement of business processes
  • Organization and event management
  • Execution of risk management processes
  • Execution of contract processes
  • Execution of strategic planning activities
  • Execution of investment processes
  • Execution of management activities
Within the Scope of Conducting the Sales Process and Managing Customer and Supplier Relations
  • Execution of finance and accounting affairs
  • Execution of communication activities
  • Execution / supervision of business activities
  • Execution of activities for ensuring business continuity
  • Execution of logistics activities
  • Execution of goods / service procurement processes
  • Execution of after-sales support services for goods / services
  • Execution of goods / service sales processes
  • Execution of goods / service production and operation processes
  • Execution of customer relationship management processes
  • Execution of activities aimed at customer satisfaction
  • Execution of marketing analysis studies
  • Execution of advertising / campaign / promotion processes
  • Execution of contract processes
  • Follow-up of requests and complaints
  • Ensuring the security of movable goods and resources
  • Execution of supply chain management processes
  • Execution of marketing processes of products / services
Within the Scope of Ensuring the Legal, Technical and Commercial Business Security of the Company and Relevant Persons Having a Business Relationship with the Company
  • Execution of information security processes
  • Execution of access authorizations
  • Ensuring physical premises security
  • Execution of risk management processes
  • Ensuring the security of movable goods and resources
  • Ensuring the security of data controller operations
  • Creation and follow-up of visitor records
Within the Scope of Fulfillment of Legal Obligations
  • Execution of activities in compliance with legislation
  • Execution of finance and accounting affairs
  • Follow-up and execution of legal affairs
  • Execution of storage and archive activities
  • Providing information to authorized persons, institutions and organizations

2. TRANSFER OF PERSONAL DATA

Personal data may be transferred by QUA GRANITE in line with data processing purposes in compliance with the conditions for transfer of personal data specified in Articles 8 and 9 of the Law. Recipient groups and transfer purposes are set out in the table below. Data transfer should be carried out in a manner that is relevant, limited and adequate for the transfer purpose.

RECIPIENT GROUPS AND TRANSFER PURPOSES

  • To the Social Security Institution, Revenue Administration and other public institutions and organizations legally authorized, for the purpose of fulfilling legal obligations
  • To real persons and private legal entities from whom support services are received in areas requiring expertise such as training, accounting, law, occupational health and safety, and human resources (such as CPA, Sworn-in CPA, outsourced law office, human resources employment company, OSGB)
  • To relevant suppliers for the execution of procurement processes
  • To business partners, group companies and companies that have an organic connection with QUA GRANITE and have similar partnership structures, for the purpose of carrying out commercial activities and implementing Company policies
  • To banks for the purpose of carrying out banking transactions
  • To domestic firms from which storage, archiving and information technologies support services are obtained (program usage), and to information technologies support service providers located abroad due to sharing via e-mail and due to the database being located abroad (server, hosting, software, cloud computing)

3. ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA

The right to request the protection of personal data gained constitutional protection within the scope of the “right to privacy and protection of private life” by adding a paragraph to the relevant article of the Constitution through the constitutional amendment made in 2010 by Law No. 5982.

QUA GRANITE provides the necessary administrative and technical measures to ensure an appropriate level of security, in accordance with Article 12 of the Law, in order to prevent unlawful processing of personal data, prevent unlawful access to personal data, and ensure the preservation of personal data, taking into account the nature of personal data.

4. PROCESS MANAGEMENT REGARDING THE PROTECTION OF PERSONAL DATA

Our Company attaches great importance to the protection of personal data. Care is taken to ensure that employees participate in KVKK trainings and that awareness is created. Our Company has established information security policies. In personal data processing activities, action is taken in accordance with the procedures and principles regulated in these policies. Responsible persons and division of duties have been determined regarding the implementation of the policies, monitoring employees’ compliance with the policies, updating and publishing the policy, and carrying out data destruction processes. Our Company is authorized to make the necessary updates in the content of the policies in line with amendments to the law and Board Decisions regarding the protection of personal data and information security. The Company conducts/has conducted the necessary audits within the scope of KVKK. Expert support services may be obtained from specialists in the relevant field in the execution of the process.

5. STORAGE AND DESTRUCTION OF PERSONAL DATA

QUA GRANITE retains personal data in accordance with the periods required for the purpose for which they are processed and the periods stipulated in the legal legislation applicable to the relevant activity. Within this scope, our Company first determines whether a retention period is prescribed in the relevant legislation for personal data; if such a period has been determined, it retains the data in compliance with this period. If there is no legal period, personal data is retained for the period necessary for the purpose for which it is processed.

At the end of the determined retention periods or upon the request of the data subject, personal data is destroyed by the destruction methods determined by QUA GRANITE (deletion, destruction or anonymization).

QUA GRANITE implements a Data Retention and Destruction Policy.

Process Retention Period
Data Related to Personnel Files Retained within the Scope of Labor Law 10 years from the date the employee leaves employment
Data Related to Job Application / Internship Application Evaluation Process Maximum 1 year from the date of application
Execution of Contractual Relationships 10 years following the termination of the contract
Camera Recordings 1 month
Visitor Records 2 years
Call Center Voice Recordings 1 year
Personal Data Relating to Suppliers 10 years after the end of the legal relationship
Data Relating to Customers 10 years after the end of the legal relationship
Visual and Audio Records Obtained at Events and Organizations 10 years
Corporate Communication Activities 10 years from the end of the activity
Data Collected within the Scope of Occupational Health and Safety Legislation 15 years from the end of the employment relationship
Deletion, Destruction, Anonymization Record Process 3 years from the date of the transaction
Data Processed Pursuant to Corporate Communication Activities for Employees 10 years from the end of the employment relationship

6. INFORMATION OF PERSONAL DATA SUBJECTS

This Policy provides general information regarding the entirety of personal data processing activities. Relevant persons are informed in detail through separate clarification texts specific to the data processing activity, and explicit consent is obtained where necessary. In this context, separate clarification and explicit consent texts are used for data subjects such as employees, employee candidates, customers, potential customers and suppliers.

During personal data processing activities, our Company informs the relevant persons whose data is processed about the categories of data processed, the purposes of data processing, the method and legal basis of data collection, the recipient groups to whom data is transferred and the purpose of such transfer, their rights as data subjects, and our Company as the Data Controller. Necessary clarifications are published in electronic or physical environments in a manner compatible with the data collection method.

7. RIGHTS OF PERSONAL DATA SUBJECTS AND EXERCISE OF THESE RIGHTS

7.1. Rights of the Personal Data Subject

  • To learn whether your personal data is being processed,
  • To request information if your personal data has been processed,
  • To learn the purpose of processing your personal data and whether they are used in accordance with that purpose,
  • To know the third parties to whom your personal data is transferred domestically or abroad,
  • To request correction of your personal data if it is incomplete or incorrectly processed and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,
  • To request deletion or destruction of your personal data if the reasons requiring its processing cease to exist, although it has been processed in accordance with the Law and other relevant legal provisions, and to request notification of the transaction made within this scope to third parties to whom your personal data has been transferred,
  • To object to the occurrence of a result against you by analyzing the processed data exclusively through automated systems,
  • To request compensation for the damage in case you suffer damage due to unlawful processing of your personal data

7.2. Exercise of the Rights of the Personal Data Subject

You may submit your applications and requests listed above by filling out the Data Subject Application Form published on our website at href=https://qua.com.tr/,

  • By delivering a signed hard copy in person or through a notary public to our address at Söke Organize Sanayi Bölgesi Mah. Sokak No: 1 Söke, Aydın,
  • By sending it to our registered electronic mail address quagranite@hs03kep.tr using a registered electronic mail (KEP) address and secure electronic signature or mobile signature,
  • By sending an electronic mail to kvkk@qua.com.tr to QUA GRANITE.

In the application; your name and surname and your signature if the application is in writing, your Turkish Republic ID number for citizens of the Republic of Türkiye, nationality, passport number or identity number if any for foreigners, your residential or workplace address for notification, your electronic mail address, telephone and fax number for notification if any, and the subject of your request must be included. Information and documents related to the subject must be attached to the application. In applications to be prepared without filling out the application form, the matters listed in this paragraph must be submitted to our Company completely. Otherwise, the application will not be considered a valid application.

In order for third parties to apply on behalf of the relevant person whose personal data is processed, there must be a special power of attorney issued through a notary public by the relevant person in the name of the person who will apply.

Our Company may request verifying information in order to confirm that the applicant is the relevant person and to ensure that application results are communicated to the correct person. (For example, additional verifications such as sending a message to your registered phone or calling you may be requested.)

Your request included in the application will be concluded free of charge as soon as possible and within 30 days at the latest depending on the nature of the request. However, if the transaction requires an additional cost for the company, the fee in the tariff determined by the Personal Data Protection Board will be charged by our Company. If your request is accepted, the necessary action will be taken. However, if your request is rejected as a result of the examination and evaluation, the reason for rejection will be notified to you in writing or electronically.

You may access detailed information regarding your rights to apply to the data controller and to complain to the Board in Articles 13, 14 and 15 stated in the Fourth Section of the Law.

7.3. Rejection of the Personal Data Subject’s Application

Pursuant to Article 28 of the Law, QUA GRANITE may reject the application of the data subject by explaining the reason in the following cases:

  • Processing of personal data by natural persons within the scope of activities relating to themselves or family members living in the same household, provided that such data is not disclosed to third parties and obligations regarding data security are complied with.
  • Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that national defense, national security, public security, public order, economic security, privacy or personal rights are not violated and such processing does not constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
  • Processing of personal data by judicial authorities or enforcement authorities with regard to investigation, prosecution, trial or execution proceedings.

Pursuant to Article 28/2 of the Law, provided that it is in accordance with the purpose and fundamental principles of this Law and proportionate, Article 10 regulating the data controller’s obligation to inform, Article 11 regulating the rights of the relevant person except for the right to request compensation for damage, and Article 16 regulating the obligation to register with the Registry of Data Controllers shall not apply in the following cases:

  • Where processing of personal data is necessary for the prevention of a crime or for criminal investigation.
  • Processing of personal data that has been made public by the relevant person.
  • Where personal data processing is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
  • Where personal data processing is necessary for the protection of the economic and financial interests of the State in matters relating to budget, tax and financial issues.

8. IMPLEMENTATION OF THE POLICY

QUA GRANITE, as the data controller, is responsible for the implementation of the Policy and for the follow-up, coordination and supervision of all business and actions regarding the compliance process with the Law. Relevant legal regulations in force regarding the processing and protection of personal data shall primarily find application. In case of any inconsistency between the legislation in force and the Policy, QUA GRANITE accepts that the legislation in force shall apply.

9. ENTRY INTO FORCE AND PUBLICATION OF THE POLICY

This Policy entered into force on 07/07/2021. It was updated by QUA GRANITE on 25.06.2018 and its 2nd version was published. It was updated on 27.06.2024 and this 3rd version was prepared.

In case the whole Policy or certain articles thereof are updated, the updates shall enter into force on the date they are published. The most up-to-date version of the Policy is published on the website www.qua.com.tr.

10. DATA CONTROLLER INFORMATION

Title: QUA GRANITE HAYAL YAPI VE ÜRÜNLERİ SANAYİ TİCARET A.Ş.

MERSIS Number: 046004676180013

Address: Söke Organize Sanayi Bölgesi Mah. 4.Sokak No:1 Söke, Aydın

Phone: 0850 888 07 08

Fax: 0850 466 06 60

E-mail address: info@qua.com.tr

KEP address: quagranite@hs03kep.tr

VERBIS Registration: https://verbis.kvkk.gov.tr/Query/Details?q=QsWGrQfyzHTUMzo1lGcqRw%3D%3D&isNeviChange=duu6TOm7jzzm1f64DfpShw%3D%3D

Definitions Explanation
Personal Data Any information relating to an identified or identifiable natural person.
Special Categories of Personal Data Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing and attire, membership in associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special categories of data.
Explicit Consent Refers to consent that is related to a specific subject, based on information and expressed with free will. The data subject always has the right to withdraw consent.
Data Controller Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Relevant Person / Data Subject The natural person whose personal data is processed.
Contact Person The person responsible for ensuring communication between the data controller and the relevant person or the Personal Data Protection Authority.
Processing of Personal Data Refers to any operation performed on data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, wholly or partially by automatic means or by non-automatic means provided that it is part of any data recording system.
Data Recording System A recording system in which personal data is processed by being structured according to certain criteria.
Anonymization Refers to making personal data incapable of being associated with an identified or identifiable natural person in any way whatsoever, even by matching it with other data.
Board It is the Personal Data Protection Board.
Authority It is the Personal Data Protection Authority.
Data Processor Refers to the natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

The cookies necessary for the proper functioning of our website are used. Advertising/marketing and performance/analytics cookies are third-party cookies and will only be used if you give your explicit consent. You can find detailed information about the processing of your personal data through cookies in the "Cookie Disclosure Statement." To consent to the use of all cookies, click "Accept All"; to reject non-essential cookies, click "Reject All"; or you can manage your cookie preferences through the "Cookie Preferences" option.

Tümünü Kabul Et
Tümünü Reddet
Çerez Tercihleri

Çerez Tercihleri

Bu çerezler, Sitemizin çalışması için kesinlikle gerekli olan çerezlerdir. Söz konusu çerezler birinci taraf çerezler olup kişisel verileriniz Sitemizin doğru bir biçimde çalışabilmesi amacıyla kullanılmaktadır. Bu çerezler talep etmiş olduğunuz hizmetin (gizlilik tercihlerinin hatırlanması gibi) yerine getirilebilmesi için zorunlu olarak kullanılmaktadırlar.

İnternet sitelerinde kullanıcıların davranışlarını analiz etmek amacıyla istatistiki ölçümüne imkân veren çerezlerdir. Bu çerezler tekil ziyaretçilerimizin sayısını belirlemekte, Sitemizin kullanıcı trafiği ölçmekte, arama motorunda kullandığımız anahtar kelimelerin etkinliğini tespit etmekte, Sitemizi ziyaret eden kullanıcıların gezinme durumunu izlemekte, Sitemizin performansını ölçmekte ve iyileştirebilmekte kullanılmaktadır. Ayrıca bu çerezler, Sitemizdeki sayfaların popülerlik düzeyini de anlamamıza ve reklamların ziyaretçilerimiz üzerindeki etkisini ölçümlememize yardımcı olmaktadır.

Bu çerezler internet sitemiz aracılığıyla yerleştirilmiş reklam ortaklarımızın çerezleri olup üçüncü taraf çerezlerdir. Bu çerezler iş ortaklarımız tarafından ilgi alanlarınıza göre profilinizin çıkarılması ve size ilgili reklamlar göstermek amacıyla kullanılmaktadır.