Personal Data Protection Policy

This Simoro Kuyumculuk San. ve Tic. Ltd. Personal Data Protection Policy (“Policy”), forming part of the Simoro Kuyumculuk San. ve Tic. Ltd. Code of Ethics, is designed to establish a compliance framework and coordinate activities to comply with legislation on the protection and processing of personal data. The aim is to ensure personal data processing by Simoro Kuyumculuk San. ve Tic. Ltd. is conducted in accordance with lawfulness, fairness, and transparency. All employees and executives at Simoro Kuyumculuk San. ve Tic. Ltd. are required to follow this Policy, and Business Partners are expected to adhere to its principles as applicable.

Definitions

  • Explicit Consent: Informed consent related to a specific matter, freely given.

  • Anonymization: Rendering personal data unable to be associated with any identifiable individual, even when combined with other data.

  • Data Subject: An individual whose personal data is processed (including customers, visitors, employees, and job applicants).

  • Business Partners: Suppliers, vendors, authorized service companies, representatives, subcontractors, and consultants acting on behalf of the company.

  • Personal Data: Any information relating to an identified or identifiable individual.

  • Processing of Personal Data: Any operation performed on personal data, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

  • Legislation: All relevant laws in force regarding the protection of personal data, notably the Law on the Protection of Personal Data No. 6698.

  • Special Categories of Personal Data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health, sex life, or sexual orientation, along with biometric and genetic data.

  • VERBİS: Data Controllers Registry Information System.

  • Data Processor: Entity processing data on behalf of the data controller.

  • Data Controller: Entity determining the purposes and means of processing personal data, responsible for establishing and managing the data recording system.

General Principles Violating this Policy could lead to legal, administrative, and criminal penalties for Simoro Kuyumculuk San. ve Tic. Ltd., potentially damaging the company’s reputation. It is crucial for Simoro Kuyumculuk San. ve Tic. Ltd. to process personal data in line with legal requirements and ethical principles.

Application of the Policy

1. Processing Personal Data Lawfully and in Good Faith: Personal data must be processed based on the principles of legality and good faith, adhering to legal requirements and ethical norms.

2. Ensuring Accuracy of Personal Data: Systems and measures must be in place to keep processed personal data accurate and up-to-date, respecting the rights of data subjects.

3. Processing Data for Legitimate Purposes: Personal data should only be processed for clear, explicit, and legitimate reasons, closely related to the company’s activities.

4. Limiting Data Processing to Necessary Scope: Data processing should be proportional to its purpose, avoiding unnecessary data collection.

5. Retention Periods: Personal data should be kept only as long as required by relevant legislation or necessary for the purposes of processing. Data should be deleted or anonymized when its retention period expires or its processing purpose ceases to exist.

Personal Data Processing Conditions

  • Data must be processed based on conditions specified in the legislation, ensuring that operations involving special categories of personal data adhere to stricter requirements.

  • Special care must be taken when processing sensitive data, obtaining explicit consent unless specified otherwise by law.

Data Transfer Requirements

  • Personal data should be transferred to third parties in compliance with processing purposes, legal bases, and necessary security measures, aligning with legislative conditions.

Obligations Related to Data Protection

  • Mandatory registration with VERBİS for Data Controllers, updating any changes promptly.

  • The Legal and Compliance Department should receive reports and oversee compliance updates regarding VERBİS registrations. This policy, effective from its stated date, emphasizes Simoro Kuyumculuk San. ve Tic. Ltd.’s commitment to safeguarding personal data in line with legal standards and ethical practices.

Key Aspects of the Policy Include:

  • Processing personal data lawfully and in good faith.

  • Keeping personal data accurate and up-to-date.

  • Processing data for specified, explicit, and legitimate purposes.

  • Ensuring data processing is necessary and proportional to the purposes.

  • Storing data only as long as legally required or necessary for the processing purposes.

Policy Application

  • Personal data must be processed based on conditions specified in the Legislation.

  • Special categories of personal data are processed under specific conditions laid out in the Legislation, with necessary measures taken for their secure processing.

Transferring Personal Data

  • Personal data should be transferred to third parties in line with processing purposes and legal bases, ensuring necessary security measures are in place.

Obligations for Protection and Processing

  • Obligatory registration with VERBİS for Data Controllers as specified by the Legislation.

  • Necessary updates and revisions must be reported and reflected in the VERBİS accordingly.

This policy, effective from its stated date, highlights Simoro Kuyumculuk San. ve Tic. Ltd.’s dedication to protecting personal data in compliance with legal standards and ethical practices.