PERSONAL DATA PROTECTION POLICY

The protection of personal data is handled with the utmost sensitivity by QUA GRANITE HAYAL YAPI VE ÜRÜNLERİ SANAYİ TİCARET A.Ş. (“QUA GRANITE” or the “Company”) in order to ensure that personal data is processed in compliance with applicable legislation and that confidentiality and security are maintained. QUA GRANITE processes personal data within the limits prescribed by the Law No. 6698 on the Protection of Personal Data (“Law” or “KVKK”), related secondary legislation, and the decisions of the Personal Data Protection Board.

This Policy has been prepared by QUA GRANITE, acting as the Data Controller, to fulfill the disclosure obligation set forth under Article 10 of the Law and to inform data subjects regarding their rights under Article 11 of the Law.

This Policy provides general information regarding all personal data processing activities. Separate privacy notices are prepared for specific processing activities to inform data subjects about the categories of processed personal data, purposes of processing, collection methods, legal bases, and data transfer recipients.

1. PROCESSING OF PERSONAL DATA

QUA GRANITE adopts the general principles regulated under Article 4 of the Law as a fundamental working principle to ensure that personal data is processed and protected in compliance with applicable legislation, particularly Article 20 of the Constitution concerning the protection of personal data.

This Policy also aims to transparently inform data subjects regarding their rights and requests under Article 11 of the Law.

1.1 Principles of Personal Data Processing

Compliance with law and principles of good faith:
QUA GRANITE processes personal data limited to the minimum amount necessary, without exceeding processing purposes and by considering the reasonable expectations of data subjects. Transparency is ensured and disclosure obligations are fulfilled.

Accuracy and up-to-dateness:
QUA GRANITE places importance on ensuring that personal data is accurate and up to date and takes necessary measures for verification and updates where required.

Processing for specific, explicit, and legitimate purposes:
Personal data is processed only for clearly defined and legitimate purposes and not for purposes other than those communicated to the data subject.

Data minimization (relevance, limitation, proportionality):
Processing activities are limited to data necessary for achieving the intended purpose. Data that is unnecessary or irrelevant is avoided.

Retention for the necessary period:
Personal data is retained only for the duration required by applicable legislation or processing purposes.

1.2 Method of Collecting Personal Data

Personal data may be collected through automated or non-automated methods via:

• Security cameras during physical visits,

• Verbal communication through business units,

• Hand delivery, printed documents, contracts, information collection forms,

• Email, registered electronic mail (KEP), fax, telephone, website, and similar channels,
  either verbally, in writing, or electronically.

During your relationship with QUA GRANITE, personal data may continue to be processed and updated when necessary to ensure accuracy.

1.3 Legal Grounds for Processing Personal Data

Under Article 5/1 of the Law, personal data cannot be processed without explicit consent unless one of the following legal grounds exists under Article 5/2:

• Explicitly provided for by law,

• Necessary to protect life or physical integrity where consent cannot be obtained due to actual impossibility,

• Necessary for the establishment or performance of a contract,

• Personal data made public by the data subject,

• Necessary for the establishment, exercise, or protection of a legal right,

• Necessary for the legitimate interests of the Data Controller, provided that fundamental rights and freedoms of the data subject are not harmed.

1.4 Processing of Special Categories of Personal Data

QUA GRANITE applies additional safeguards when processing special categories of personal data due to their sensitive nature and potential to cause discrimination or harm.

Special categories of personal data listed under Article 6 of the Law include:

• Race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs,

• Appearance and dress, association/foundation/union membership,

• Health data and sexual life,

• Criminal convictions and security measures,

• Biometric and genetic data.

Such data may be processed only under legally permitted conditions, including explicit consent, legal obligations, protection of life or physical integrity, publicly disclosed data, establishment or protection of legal rights, public health purposes, employment and social security obligations, or activities of non-profit organizations within legal limits.

Adequate security measures determined by the Board are applied. QUA GRANITE maintains a dedicated policy on the protection and processing of special categories of personal data.

1.5 Categories of Processed Personal Data

Depending on operational activities, QUA GRANITE may process the following categories of personal data:

Personal Data Categories

• Identity Information

• Contact Information

• Personnel Information

• Financial Information

• Professional Experience Information

• Legal Transaction Information

• Customer Transaction Information

• Physical Premises Security Information

• Visual and Audio Records

• Transaction Security Information

• Marketing Information

• Other Information (family, visitor, vehicle plate data, etc.)

Special Categories of Personal Data

• Health Information

• Religious/Philosophical Beliefs

• Criminal Conviction Information

• Biometric Data (fingerprint)

1.6 Data Subjects

This Policy covers personal data belonging to:

Board Members, employees, employee candidates, interns, customers, potential customers, visitors, supplier employees and representatives, external service providers, and other third parties whose data is processed fully or partially by automated means or as part of a data recording system.

1.7 Purposes of Processing Personal Data

Personal data may be processed for purposes including but not limited to:

Human Resources Management

• Recruitment and placement processes

• Employee satisfaction and engagement

• Performance evaluation and career development

• Occupational health and safety

• Payroll and benefits management

• Training and compliance activities

Corporate Management

• Strategic planning and investment activities

• Contract management

• Organizational and event management

• Risk management and corporate governance

Sales, Customer and Supplier Management

• Financial and accounting operations

• Logistics and operational processes

• Sales and after-sales services

• Customer relationship management

• Marketing analysis and promotional activities

• Complaint and request management

• Supply chain management

Ensuring Legal, Technical and Commercial Security

• Information security processes

• Access authorization management

• Physical security management

• Visitor tracking

• Operational security of the data controller

Fulfillment of Legal Obligations

• Compliance with legislation

• Legal process management

• Archiving and reporting obligations

2. TRANSFER OF PERSONAL DATA

Personal data may be transferred in accordance with Articles 8 and 9 of the Law, limited to processing purposes, to:

• Authorized public institutions and authorities (e.g., Social Security Institution, Revenue Administration),

• Service providers requiring professional expertise (accounting, legal, HR, occupational safety services),

• Suppliers for procurement processes,

• Business partners, group companies, and affiliated companies,

• Banks for financial transactions,

• Domestic and international IT service providers, hosting, cloud systems, and database services.

3. ENSURING SECURITY AND CONFIDENTIALITY OF PERSONAL DATA

The right to protection of personal data is constitutionally guaranteed under the right to privacy following the 2010 constitutional amendment.

QUA GRANITE implements administrative and technical safeguards under Article 12 of the Law to:

• Prevent unlawful processing,

• Prevent unauthorized access,

• Ensure secure storage of personal data.

4. PROCESS MANAGEMENT FOR PERSONAL DATA PROTECTION

QUA GRANITE attaches great importance to personal data protection by:

• Providing KVKK awareness trainings to employees,

• Implementing information security policies,

• Monitoring compliance with policies,

• Assigning responsible roles for policy implementation, updates, and data destruction processes,

• Conducting internal audits and receiving expert consultancy when required.

5. RETENTION AND DESTRUCTION OF PERSONAL DATA

Personal data is retained only for legally required periods or for the duration necessary for processing purposes.

At the end of retention periods, personal data is destroyed through deletion, destruction, or anonymization in accordance with the Company’s Data Retention and Destruction Policy.

Examples of Retention Periods

• Personnel files: 10 years after termination

• Job applications: max. 1 year

• Contracts: 10 years after termination

• CCTV recordings: 1 month

• Visitor records: 2 years

• Call center recordings: 1 year

• Customer/Supplier records: 10 years

• OHS records: 15 years

6. INFORMING DATA SUBJECTS

Data subjects are informed through separate privacy notices specific to processing activities. Necessary disclosures are provided electronically or physically depending on the collection method.

7. RIGHTS OF DATA SUBJECTS AND EXERCISE OF RIGHTS

7.1 Rights of Data Subjects

You have the right to:

• Learn whether personal data is processed,

• Request information,

• Learn processing purposes,

• Learn transfer recipients,

• Request correction, deletion, or destruction,

• Object to automated decision-making results,

• Request compensation for unlawful processing.

7.2 Exercising Your Rights

Applications may be submitted by completing the Data Subject Application Form available at https://qua.com.tr/ and submitting:

• Signed hard copy to
  Söke Organized Industrial Zone Mah. 4th Street No:1 Söke, Aydın,

• Via registered electronic mail (KEP): quagranite@hs03kep.tr,

• Via email: kvkk@qua.com.tr

Requests are concluded free of charge within 30 days, unless additional cost arises.

7.3 Rejection of Applications

Applications may be rejected under Article 28 of the Law in legally defined exceptional cases such as national security, criminal investigations, public safety, statistical processing, or freedom of expression activities.

8. IMPLEMENTATION OF THE POLICY

QUA GRANITE, as the Data Controller, is responsible for implementing, coordinating, and supervising compliance processes. In case of conflict between legislation and this Policy, applicable legislation prevails.

9. EFFECTIVENESS AND PUBLICATION

This Policy entered into force on 07.07.2021.
Version 2 was updated on 25.06.2018.
This Version 3 was updated on 27.06.2024.

The most current version is published at www.qua.com.tr.

10. DATA CONTROLLER INFORMATION

Company Name: QUA GRANITE HAYAL YAPI VE ÜRÜNLERİ SANAYİ TİCARET A.Ş.
MERSIS Number: 046004676180013
Address: Söke Organized Industrial Zone Mah. 4th Street No:1 Söke, Aydın
Phone: 0850 888 07 08
Fax: 0850 466 06 60
Email: info@qua.com.tr
KEP: quagranite@hs03kep.tr
VERBIS Registration: https://verbis.kvkk.gov.tr/Query/Details?q=QsWGrQfyzHTUMzo1lGcqRw%3D%3D&isNeviChange=duu6TOm7jzzm1f64DfpShw%3D%3D

DEFINITIONS

Personal Data: Any information relating to an identified or identifiable natural person.
Special Categories of Personal Data: Data relating to race, religion, health, criminal records, biometric and genetic data, etc.
Explicit Consent: Freely given, informed, and specific consent which may be withdrawn at any time.
Data Controller: The entity determining purposes and means of processing personal data.
Data Subject: The natural person whose personal data is processed.
Contact Person: Individual responsible for communication between the Data Controller and the Authority.
Processing of Personal Data: Any operation performed on personal data such as collection, storage, transfer, or deletion.
Data Recording System: A structured system in which personal data is processed.
Anonymization: Rendering personal data incapable of being associated with an identifiable person.
Board: Personal Data Protection Board.
Authority: Personal Data Protection Authority.
Data Processor: Natural or legal person processing personal data on behalf of the Data Controller.