Internet Disclosure Policy
 

DISCLOSURE TEXT (INTERNET)

1. COMPANY STATEMENT

As the data controller, SÜMER INTERNATIONAL INDUSTRY AND TRADE INC. ensures that all personal data processed within our company is protected in accordance with relevant national and international legislation, primarily the Personal Data Protection Law No. 6698. Our company takes necessary technical and administrative measures in a timely manner. To ensure adequate protection, necessary notifications are made, and in case of any suspected violation, relevant individuals, institutions, and organizations are promptly notified in accordance with legal provisions.

The information of the Data Controller is as follows:

Title: SÜMER INTERNATIONAL INDUSTRY AND TRADE INC.

MERSIS No / Tax No: 7860018595

Email Address: info@sumeras.com

Postal Address: BAŞKENT OSB MAHALLESİ BAŞKENT BULVARI NO:81 SİNCAN/ANKARA

Tel: 0312 418 4129

1. EXPLANATIONS REGARDING THE CONCEPT OF PERSONAL DATA AND ITS EVOLUTION

Personal data can be defined as any information that can identify individuals. In this context, information about a person's identity, contact details, health and financial information, as well as details about their private life, religious beliefs, and political views are considered personal data. For example: name, surname, date of birth, mobile phone number, email, gender, address, profession, education, shopping location and time, payment amount, discounts used, product information in their account, browsing and clicking behavior in applications, location data when opening the app, etc.

Today, such data is frequently used by both private and public sectors through automated information systems. While the use of this information provides certain conveniences or advantages to individuals and service providers, it also carries the risk of misuse. Unauthorized access, use, or disclosure of this data constitutes a violation of both contractual agreements and fundamental rights guaranteed by our Constitution. A reasonable balance must be struck between these two interests. The lack of specific legislation and effective oversight mechanisms for personal data processing has created negative perceptions in our society. To eliminate this perception, principles regarding the processing, storage, and control of personal data under certain conditions must be established.

With the growing awareness of human rights protection in our era, the importance of personal data protection is increasing daily. Therefore, developed countries have implemented detailed legal regulations in this field.

In our country, there is no comprehensive law regulating personal data protection, and provisions on this subject are scattered across different laws. Additionally, there is no institution to oversee and regulate personal data processing. As a result, personal data can still be used by many individuals or organizations without adequate regulation or oversight, potentially leading to rights violations.

There are various reasons why a law on personal data protection is needed in our country. First, unlawful acquisition, recording, or disclosure of personal data is criminalized under Articles 135 and subsequent of the Turkish Penal Code No. 5237. However, there are uncertainties about when these actions are lawful or unlawful.

Furthermore, with the constitutional amendment made by Law No. 5982 on September 12, 2010, personal data protection was recognized as a fundamental human right under Article 20 of the Constitution, with details to be regulated by law.

Regarding our country's ongoing EU accession process, four negotiation chapters are directly related to personal data. To progress in these chapters, a fundamental law on personal data protection must be enacted.

The issue of personal data protection began appearing in international documents in the 1980s. The OECD first adopted the "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data."

On September 23, 1980, Turkey became a member. The Council of Europe prepared Convention No. 108 "For the Protection of Individuals with regard to Automatic Processing of Personal Data," which was opened for signature on January 28, 1981, and signed by Turkey.

The Council of Europe has also adopted recommendations on personal data protection for various sectors, including medical databases, scientific research, direct marketing, social security, insurance, police records, employment, electronic payments, telecommunications, and internet. While drafting the law, these recommendations were considered, but the "framework draft" nature was maintained.

The EU enacted the "Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data" (95/46/EC) on October 24, 1995, to harmonize legislation. This Directive aims to ensure high-level protection of personal data and free movement within the EU.

Due to the inadequacy of pre-GDPR agreements and directives, and considering differences between countries, a consensus was reached on December 15, 2011, for a comprehensive EU-wide reform. The GDPR, prepared in 2012, was adopted by the EU Parliament on April 14, 2016. The GDPR repealed Article 94 of Directive 95/46/EC while expanding the scope of the 2002/58/EC ePrivacy Directive.

The 2010 constitutional amendment added a new paragraph to Article 20 of the Constitution, stating: "Everyone has the right to request protection of their personal data. This right includes being informed about, accessing, rectifying, or deleting personal data, and learning whether they are used appropriately. Personal data may only be processed in cases prescribed by law or with explicit consent. Principles and procedures for personal data protection shall be regulated by law."

The Constitution specifies that detailed regulations on personal data protection will be made by law. In this context, the "Draft Law on the Protection of Personal Data" was submitted to the Turkish Grand National Assembly on December 26, 2014. The draft became law on March 24, 2016, and the Personal Data Protection Law No. 6698 was published in the Official Gazette No. 29677 on April 7, 2016, entering into force.

The Draft, prepared considering international documents, comparative legal practices, and Turkey's needs, aims to ensure personal data is processed and protected according to modern standards.

1. DEFINITION OF THE OPERATOR

This disclosure and information text is directed to all relevant parties and legally concerned individuals who have any relationship with our company. Relevant individuals within this scope include:

  • • All users connecting to/using our company channels (our company websites and social media site names: http://sumeras.com)
  • • Those connecting to guest networks (WiFi) in company offices, warehouses, and stores
  • • Users of company mobile applications and proprietary programs
  • • All customers in the company database (CRM System)
  • • Customers making purchases from company stores or online channels
  • • Visitors to our company stores for any purpose
  • • All customers contacting the COMPANY through social media accounts (including but not limited to sharing comments or making requests)
  • • Third parties entering commercial relationships with our company directly or through intermediary consulting firms
  • • Company employees and partners
  • • Candidates in the application process with our company
  • • All customers filling out surveys and forms to benefit from company promotions
  • • Job applicants submitting resumes via career portals, ISKUR, email, references, or physically submitting application forms to the Company
  • • Current employees working within the Company
  • • Interns or probationary workers at our company
  • • Former employees whose contracts were terminated for any reason
  • • All business partners and their employees within our commercial activities
  • • Individuals who cannot/will not share personal data with the company face-to-face, remotely, verbally, in writing, or electronically; those who have provided/will provide directly or enabled/will enable the company to obtain

In addition to the relevant individuals mentioned above, anyone entering any legal, human, commercial, or other relationship with our company is addressed by this text.

Personal data obtained within the scope of services provided by our company (data processed through online forms or at checkout via the ... application allocated to our company) is never shared with third parties and is only stored by relevant data processors. Processing occurs within our privacy and security policies framework, under legal obligations, with signed informed consent texts by relevant individuals. In cases of commercial necessity or with your explicit consent, your information may be shared with supporting companies such as transportation companies or service providers within the scope of privacy policies.

1. PROCESSING OF PERSONAL DATA AND APPLICABLE BASIC PRINCIPLES

PROCESSING

Processing of personal data means any operation performed on data, whether fully or partially automated or non-automated as part of a data recording system, including collection, recording, storage, preservation, modification, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use. All activities performed from collection to deletion, destruction, or anonymization of personal data are considered processing under the Law.

Your personal data is processed within our company in connection with commercial activity requirements, workplace order, and general operations, in accordance with Labor Law No. 6545, Labor Law No. 4857, Personal Data Protection Law No. 6698, Turkish Code of Obligations No. 6098, Social Insurance Law No. 5510, Occupational Health and Safety Law No. 6331, primarily Consumer Protection Law No. 6502 and Electronic Commerce Law No. 29166, and other legislation issued in line with these provisions. Such data is obtained from information within employment contracts, commercial contracts, other contractual relationships, personnel files, information and documents submitted by you, and information obtained from or notified by legally authorized institutions.

Your personal data may be collected automatically or non-automatically through verbal, written, or electronic means via our company's units and offices, website, social media channels, mobile applications, and similar means. When you use our call centers or website, or visit our website or social media channels, your personal data may be created and updated.

This data is processed under the supervision and responsibility of our company as data controller, by Human Resources, Data Protection Unit (DPO), Accounting, Data Processing, Call Center, Support Services and other service unit personnel, limited to exclusive purposes within legal frameworks. Data processing by the company doctor and company lawyer(s) may also occur as required by work and legal requirements.

There are fundamental principles regarding personal data processing recognized in international documents and reflected in many countries' practices. Article 4 of the Personal Data Protection Law regulates processing procedures in line with Convention 108 and EU Directive 95/46/EC. Accordingly, the general (basic) principles for processing personal data are as follows:

  • • Compliance with laws and principles of honesty
  • • Being accurate and up-to-date when necessary
  • • Processing for specific, clear, and legitimate purposes
  • • Being relevant, limited, and proportionate to the purposes for which they are processed
  • • Being retained for the period stipulated by relevant legislation or required for the purpose of processing

All personal data processing activities should be based on these principles and conducted accordingly. At the center of these principles, we take necessary technical, legal, and administrative measures for data protection. In this context, necessary studies have been conducted within our company, and these activities are updated in line with decisions of the Personal Data Protection Board and legislative changes.

1. CONDITIONS FOR PROCESSING PERSONAL DATA

Processing of personal data is defined in Article 3/e of Law No. 6699.

6698 is as follows:

"Processing of personal data: Any operation performed on personal data, whether fully or partially automated or non-automated as part of a data recording system, including collection, recording, storage, preservation, modification, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use."

How such personal data will be processed is regulated in Article 5 of the same Law:

"Conditions for processing personal data ARTICLE 5-

  • o Personal data cannot be processed without the explicit consent of the data subject.
  • In cases where one of the following conditions exists, personal data may be processed without seeking the explicit consent of the data subject:
  • a) Explicitly provided for by laws
  • b) Necessary to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent
  • c) Necessary for the establishment or performance of a contract directly related to the contracting parties
  • d) Mandatory for the data controller to fulfill its legal obligation
  • e) Made public by the data subject
  • f) Necessary for the establishment, exercise, or protection of a right
  • g) Necessary for the legitimate interests of the data controller, provided that fundamental rights and freedoms of the data subject are not harmed

4. SPECIAL CATEGORIES OF PERSONAL DATA AND PROCESSING CONDITIONS

Certain types of data are inherently more sensitive than other personal rights due to their nature and characteristics. Therefore, the protection and processing of these rights are regulated separately with strict formal requirements under the relevant law. Article 6(1) of the Law defines and enumerates special personality rights as follows:

Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data constitute special categories of personal data.

The provisions for processing these special categories are specified in other paragraphs of the same article as follows:

(2) Processing of special categories of personal data without the explicit consent of the data subject is prohibited.

3) Personal data other than health and sexual life listed in the first paragraph may be processed without explicit consent in cases stipulated by laws. Personal data concerning health and sexual life may only be processed without explicit consent by persons under confidentiality obligations or authorized institutions and organizations for purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and their financing.

(4) When processing special categories of personal data, adequate measures determined by the Board must be taken.

The law regulates that certain special categories of personal data may be processed by non-profit organizations or formations such as political parties, foundations, associations or trade unions. Accordingly, these institutions may process special data of their members and personnel in line with their establishment purposes and applicable legislation, limited to their field of activity and without disclosure to third parties. For example, if a political party or trade union stores identity and contact information of its members under the conditions specified in the paragraph, it falls under this provision. These organizations may only process sensitive data limited to their field of activity. For instance, a trade union may only process data related to union membership relevant to its activity scope and purpose. However, it cannot process members' health, religion or sect-related personal data as these are unrelated to its activity scope and purpose.

Special categories of personal data made public by the data subject may be processed. Since such data has been disclosed by the data subject and is therefore known to everyone, it is accepted that the legal interest requiring protection no longer exists.

When processing special categories of personal data is necessary for establishing, exercising or protecting a right, such data may be processed without consent. For example, an employer processing reports and documents regarding employees with disabilities under its disability employment obligation falls under this provision. Similarly, processing health reports from tax offices regarding a disabled person's status to enable them to purchase specially equipped vehicles exempt from special consumption tax also falls under this provision.

1. REQUESTED PERSONAL DATA AND PROCESSING PURPOSES

The main data sources include: contracts concluded with data subjects, information and documents exchanged between parties as required by legal relationships, forms filled online or physically, information provided to our call center or unit representatives, data obtained under cookie policies, and information obtained from other persons and documents.

Our company websites are as follows: http://www.sumeras.com

Our company contact numbers: 0312 418 4129

To provide better service to customers and other third parties and inform them about discounts and other opportunities in their favor, cookie policies are implemented in digital environments. Cookies: Small files stored in users' browsers when visiting a webpage. They record what people search for in browser history. By keeping track of movements in browser logs, they allow websites to recognize users. Cookies were first used by Netscape in 1994. Their original purpose was to check if a user revisited a site. Today, while maintaining their original purpose, cookies are used to obtain much more information. The cookies that remember us are text files we call cookies.

When our information is written to these files, the sites recognize us upon subsequent visits, eliminating the need to re-enter information. We browse various sites online and register with some. For registered sites, we click "remember me" to avoid entering username and password each time. Cookies activate when we click this icon. Our information is saved in our special text file. From the moment we open the site, information read from cookies reaches the site and recognizes us. Our company also has a cookie policy accessible at: http://www.sumeras.com

Your data obtained through cookie policies and virtual environments will be protected within legal frameworks for marketing and advertising policy development purposes. Similarly, job applications, online training forms, surveys and other information forms will be protected within legal frameworks limited to their exclusive purposes. Within Human Resources policy implementation, such data may only be processed by this department for these purposes. If forms indicate notification, data may be evaluated by another data processing unit within our organization. This data may also be used as required by legal relationships with customers. For example, delivery address and ID information for deliveries, customer account details or credit card information for bank payments.

The requested data varies according to individuals' relationships but can be categorized as follows regarding our Company:

Identity Information Data clearly belonging to an identifiable natural person; processed partially or fully automatically or as part of a data recording system non-automatically; data containing information about a person's identity: Name-surname, ID number, address information, mother's name-father's name, place of birth, date of birth, tax number, social security number, signature information, documents like driver's license, ID card and passport containing information such as vehicle plate, etc.
Contact Information Data clearly belonging to an identifiable natural person; processed partially or fully automatically or as part of a data recording system non-automatically; phone number, address, email address, fax number, IP address etc.
Family Members and Relatives Information Data clearly belonging to an identifiable natural person; processed partially or fully automatically or as part of a data recording system non-automatically; Information about family members (e.g. spouse, parents, children) and relatives and other persons to be contacted in emergencies as notified to our Company by personal data owners within our activities.
Security Information Data clearly belonging to an identifiable natural person; processed partially or fully automatically or as part of a data recording system non-automatically; Personal data regarding records and documents during entries to and stays at Company headquarters, branches, sales offices and similar facilities; camera recordings, fingerprint records and security checkpoint records etc.
Financial Information Data clearly belonging to an identifiable natural person; processed partially or fully automatically or as part of a data recording system non-automatically; Bank account number, IBAN number, financial profile, asset data, income information and all types of financial information documents and records created according to the type of legal relationship established between the Company and personal data owner.
Audio/Visual Information Data clearly belonging to an identifiable natural person; processed partially or fully automatically or as part of a data recording system non-automatically; Photographs and camera recordings (excluding recordings under Security Information), voice recordings
Personal Information Data clearly belonging to an identifiable natural person; processed partially or fully automatically or as part of a data recording system non-automatically; All personal data processed to obtain information constituting basis for natural persons' personality rights, within business relationship with our company.
Special Categories of Personal Data Data clearly belonging to an identifiable natural person; processed partially or fully automatically or as part of a data recording system non-automatically; Data specified in Article 6 of KVK Law (e.g. health status including blood type, biometric data, religion and membership information)
Request/Complaint Management Information Data clearly belonging to an identifiable natural person; processed partially or fully automatically or as part of a data recording system non-automatically; Personal data regarding requests and complaints directed to our Company

2. CONDITIONS FOR PROCESSING PERSONAL DATA

The conditions for processing personal data are enumerated in Article 5 of the Law, and accordingly, personal data may be processed when at least one of the following conditions is met:

  • Existence of explicit consent of the data subject,
  • Explicitly provided for by laws,
  • Necessary to protect life or physical integrity of data subject or another person where data subject is physically or legally incapable of giving consent,
  • Necessary for establishment or performance of a contract directly related to contracting parties,
  • Mandatory for data controller to fulfill legal obligation,
  • Made public by data subject themselves,
  • Necessary for establishment, exercise or protection of a right,
  • Necessary for legitimate interests of data controller, provided fundamental rights and freedoms of data subject are not harmed.

The conditions for processing personal data, i.e. its lawfulness, are determined by being explicitly listed in the Law and these conditions cannot be expanded.

Special categories of personal data can only be processed with the explicit consent of the data subject. In addition, except for data related to health and sexual life, special categories of personal data may also be processed within the scope of legal regulations.

Conditions without requiring consent (KVKK 6/2). Personal data related to health and sexual life may be processed without the explicit consent of the data subject, only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, by persons or authorized institutions and organizations under confidentiality obligations.

3. METHODS OF DATA STORAGE AND PROTECTION

The information and documents obtained in the manner stated above will be protected by our company, and the methods of protection and storage are as follows:

Electronic Media Servers (Domain, backup, email, database, web, file sharing, etc.)
Software (office software, portal, EBYS, VERBIS, etc.)
Information security devices (firewall, intrusion detection and prevention, log files, antivirus, etc.)
Personal computers (desktop, laptop)
Mobile devices (phone, tablet, etc.)
Optical disks (CD, DVD, etc.)
Removable storage (USB, memory cards, etc.)
Printer, scanner, photocopier

Article 3 of the Law defines the concept of personal data processing, while Article 4 states that personal data must be processed in connection with, limited to, and proportionate to the purposes for which they are processed and must be retained only as long as necessary for such purposes or as stipulated by relevant legislation.

Accordingly, within the scope of our institution’s activities, personal data is stored for the period prescribed by relevant legislation or for the duration required for our processing purposes.

Legal Grounds for Retention

Personal data processed within the framework of the institution's activities are stored for the duration stipulated by the relevant legislation. In this context, personal data are stored in accordance with:

  • Law No. 6698 on the Protection of Personal Data,
  • Turkish Code of Obligations No. 6098,
  • Public Procurement Law No. 4734,
  • Social Insurance and General Health Insurance Law No. 5510,
  • Law No. 5651 on Regulation of Publications on the Internet and Combating Crimes Committed through Such Publications,
  • Public Financial Management and Control Law No. 5018,
  • Occupational Health and Safety Law No. 6331,
  • Right to Information Act No. 4982,
  • Law No. 3071 on the Use of the Right to Petition,
  • Labor Law No. 4857,
  • Retirement Health Law No. 5434,
  • Turkish Commercial Code No. 6102,
  • Consumer Protection Law No. 6502,
  • Law No. 29166 on the Regulation of Electronic Commerce,
  • Tax Procedure Law No. 213,
  • Income Tax Law No. 193,
  • Distance Contracts Regulation published in Official Gazette No. 27866,
  • Regulation on Commercial Communication and Commercial Electronic Messages published in Official Gazette dated 15.07.2015 and numbered 29417,
  • After-Sales Services Regulation published in Official Gazette dated 13.06.2014 and numbered 29029,
  • Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism published in Official Gazette No. 26751

They are stored for the duration prescribed by the secondary regulations in force under these laws.

Purposes Requiring Retention

The company retains personal data it processes within the scope of its activities for the following purposes:

  • Managing human resources processes
  • Ensuring internal corporate communication
  • Ensuring the safety of the company, employees, and third parties
  • Conducting statistical studies
  • Managing internal corporate events
  • Managing relationships with business partners or suppliers
  • Handling requests and complaints
  • Carrying out transactions based on signed contracts and protocols
  • Providing required information and documents for the VERBIS system in accordance with the Personal Data Protection Law and Board decisions
  • Fulfilling legal obligations required or mandated by legal regulations
  • Contacting real/legal persons in a business relationship with the company
  • Carrying out transactions within the scope of the company’s production and commercial policies
  • Preparing legal reports
  • Providing evidence in case of potential future legal disputes

4. DATA PROCESSORS

Within the framework of the above legislation and contractual requirements, the data obtained will be protected under the supervision of the data controller and by maintaining confidentiality. Our company's data processors include:

  • Accounting department/unit of our company
  • Human resources department/unit of our company
  • Disciplinary board of our company
  • Persons responsible for the protection of personal data within our company
  • Company contact person (who is also responsible for personal data protection)
  • Administrative personnel involved in recruitment, authorization, and internal personnel interviews
  • Company doctor
  • Unit supervisors for performance evaluations
  • Company lawyers
  • Financial consultants
  • Private service providers

Depending on the nature of the work, other individuals may also be included in this status as data processors. Whoever has assumed the role of data processor will ensure data security in accordance with the relevant legislation and will use the data for limited purposes. For example, health records will not be reviewed by the accounting unit.

Personal data will be stored in a way that is inaccessible to unauthorized persons and will be kept under lock using keys assigned to processors. The security of such data will be ensured with 24-hour working surveillance cameras.

If such data is processed in a digital environment, it will be stored in specially locked folders, the security of the digital environment will be ensured, and file passwords will be kept only by the processors.

5. STORAGE AND DESTRUCTION OF PERSONAL DATA

Within our company, January and July of each year have been designated as the destruction periods. Personal data obtained from data subjects will be deleted, destroyed, or anonymized by the personnel responsible for data protection within the company, during the destruction period following the end of the retention period. Destruction records will be kept in a separate place within the company by the responsible personnel for three (3) years. After three years, these records will also be destroyed. The provisions of the Regulation on Deletion, Destruction, or Anonymization of Personal Data dated October 28, 2017, and numbered 30224, and the Law No. 6698 on the Protection of Personal Data will be taken as the basis for the destruction process.

Reasons for Destruction:

  • Amendment or repeal of the provisions of the relevant legislation forming the basis of processing,
  • The disappearance of the purpose requiring the processing or storage,
  • In cases where personal data is processed solely based on explicit consent, withdrawal of consent by the data subject,
  • Application made by the data subject to the Authority for the deletion or destruction of personal data within the scope of the rights in Article 11 of the Law,
  • If the data subject's request for deletion, destruction or anonymization is rejected, the response is found insufficient, or no response is given within the period stipulated by the Law; lodging a complaint with the Board and approval of the request by the Board,
  • The maximum retention period for personal data has expired, and there is no justification for retaining the data longer.

Pursuant to Article 12 of the Law and the fourth paragraph of Article 6, necessary technical and administrative measures are taken to securely store personal data, to prevent unlawful processing and access, and to lawfully destroy personal data, in line with the measures determined and announced by the Board.

Technical Measures:

  • Risks and threats that may affect the continuity of information systems are continuously monitored through real-time analysis and information security incident management.
  • Access to information systems and user authorizations are managed via an access and authorization matrix and corporate Active Directory security policies.
  • Necessary precautions are taken for the physical security of the company’s information system equipment, software, and data.
  • To ensure the security of information systems against environmental threats, both hardware (access control system allowing only authorized personnel into server rooms, 24/7 surveillance system, physical security of LAN switches), and software (firewalls, intrusion prevention systems, network access control, anti-malware systems, etc.) precautions are implemented.
  • Risks preventing the unlawful processing of personal data are identified, appropriate technical measures are taken, and technical controls are conducted on these measures.
  • Access procedures have been established within the company, and reporting and analysis related to access to personal data are carried out.
  • Access to storage areas where personal data is held is logged, and unauthorized access or access attempts are monitored.
  • The company ensures that deleted personal data cannot be accessed or reused by users.
  • If personal data is unlawfully obtained by others, systems and infrastructure are in place to notify both the data subject and the Authority.
  • Security vulnerabilities are monitored, appropriate security patches are applied, and information systems are kept up to date.
  • Strong passwords are used in electronic environments where personal data is processed.
  • Secure logging systems are used in electronic environments where personal data is processed.
  • Data backup programs are used to ensure the security of personal data.
  • Access to personal data stored in electronic or non-electronic media is restricted according to access principles.
  • A separate policy has been established for the security of special categories of personal data.
  • Employees who process special categories of personal data have received specific training on data security.
  • Confidentiality agreements have been signed and user authorizations have been defined for those who have access to data.
  • Electronic environments where special categories of personal data are processed, stored and/or accessed are protected using cryptographic methods; cryptographic keys are stored securely, all transaction logs are kept, security updates are continuously monitored, and security tests are conducted regularly.
  • Adequate physical security measures are taken for physical environments where special categories of personal data are processed, stored and/or accessed, and unauthorized access is prevented.
  • If it is necessary to transmit special categories of personal data via email, the data is sent encrypted using a corporate email address or KEP (Registered Electronic Mail). If transmitted via portable media (e.g., USB, CD, DVD), encryption is applied, and the encryption key is stored separately. If transferring between servers in different physical environments, a VPN or sFTP method is used. If transmission on paper is necessary, appropriate precautions are taken to prevent theft, loss, or unauthorized access, and the document is marked as “confidential.”

Administrative Measures:

  • Training is provided to improve employee quality and to prevent unlawful processing and access to personal data, including legal protection of personal data, communication techniques, technical knowledge and skills, Labor Law, and relevant legislation.
  • Confidentiality agreements are signed by employees involved in the company's activities.
  • A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
  • Before starting to process personal data, the company fulfills its obligation to inform the data subjects.
  • A personal data processing inventory has been prepared.
  • Periodic and random audits are conducted within the company.
  • Employees receive information security training.

Destruction Methods:

DATA STORAGE MEDIUM     DESCRIPTION
Personal Data on Servers     The system administrator removes access permissions of relevant users and deletes expired personal data from the servers.
Personal Data in Electronic Media     Expired personal data in electronic media is made inaccessible and unusable for other employees (relevant users) except for the database administrator.
Personal Data in Physical Media     Personal data kept in physical environments is made inaccessible and unusable for employees except for the archive manager of the responsible unit. Additionally, redaction is applied by drawing/painting/erasing to make it unreadable.
Personal Data in Portable Media     Expired personal data stored in flash-based storage devices is encrypted by the system administrator, access is granted only to the system administrator, and encryption keys are stored in secure environments.
Personal Data in Physical Media     Personal data in paper format that needs to be stored has been irreversibly destroyed using paper shredders after its expiration date.
Personal Data in Optical/Magnetic Media     Personal data in optical and magnetic media is physically destroyed by melting, burning, or pulverizing. Additionally, magnetic media is passed through a special device and exposed to high magnetic fields to render data unreadable.

 

Personal data obtained from employees is stored and destroyed for different periods depending on its nature. The retention periods of such data are listed below. Data that has expired is destroyed at the next disposal period, and destruction records are retained for 3 years.

PERSONAL DATA STORAGE PERIOD
Recruitment documents to be submitted to the Social Security Institution; personnel data related to seniority and salary notifications Stored for 15 (fifteen) years from the date of the service contract and email.
Personnel data other than those related to seniority and salary notifications for the Social Security Institution Stored for 10 (ten) years from the beginning of the calendar year following the termination of the service contract.
Customer Information According to Article 82 of the Turkish Commercial Code, information that forms the basis of commercial books and records must be kept for 10 years; Customer Information is stored for the duration necessary for the purpose of processing.
Contracts based on commercial relationships and related data 10 years under the Turkish Code of Obligations No. 6098 and other relevant legislation.
Employees’ Personal Health Files According to occupational health and safety regulations, personal health files must be stored for 1 day.
Job Applicant Information Stored for a maximum of 2 years or until expired.
Visitor Information Stored for 2 years.
Partner and Consultant Information Stored during the company's relationship and for 10 years under Article 146 of the Turkish Code of Obligations.
Information Shared by Companies with the Company Stored during the company's relationship and for 10 years under Article 146 of the Turkish Code of Obligations.
Customer Stored for 10 years for each product/service purchased by the customer, in accordance with Article 146 of the Turkish Code of Obligations and the Turkish Commercial Code.
Customer/Potential Customer Requests and Complaints Stored for 10 years from the date of complaint.
Personal data constituting a criminal offense under the Turkish Penal Code or other penal provisions Stored during the statute of limitations period.
Daily Monitoring Systems 10 years
Hardware and Software Access Process Management 2 years
Records of Visitors and Meeting Participants If no contractual relationship exists, stored for 2 years from the date of the event.
Non-employee trainees and their information Stored during training and other activities with the company and for 1 year after termination of relationship.
Personal data obtained from job candidates If the application is unsuccessful, stored until the next disposal period.

Data Subject Rights

Pursuant to Article 13 of the Law, when the data subject applies to SÜMER ULUSLARARASI SANAYİ VE TİCARET A.Ş. to request the deletion or destruction of their personal data:

  • If all conditions for processing personal data are no longer valid; the Company deletes, destroys, or anonymizes the relevant personal data within 30 (thirty) days from the date of receiving the request, using an appropriate destruction method, and informs the data subject accordingly. In order for the request to be considered valid, it must be made in accordance with the Personal Data Processing and Protection Policy. In any case, the Company informs the data subject about the action taken.
  • If the conditions for processing personal data still exist, the request may be rejected by the Company with justification under the third paragraph of Article 13 of the Law, and the rejection is notified to the data subject in written or electronic form within 30 days. The right to file a complaint with the Authority remains valid. In this context, individuals may apply to the Board within 60 (sixty) days after learning that their request was rejected.
  • Applications to our Company in this regard can be made "in writing" by:
  • Personal application of the Applicant,
  • Via notary,
  • Signed by the Applicant with a "secure electronic signature" as defined in the Electronic Signature Law No. 5070

Contact Information

Title: SÜMER ULUSLARARASI SANAYİ VE TİCARET A.Ş.

Mersis No / Tax No: 7860018595

Email Address: info@sumeras.com

Mailing Address: BAŞKENT OSB MAHALLESİ BAŞKENT BULVARI NO:81 SİNCAN/ANKARA

Phone: 0312 418 4129

Transfer of Personal Data

Article 8 of the Personal Data Protection Law regulates how and under what conditions personal data may be transferred to third parties within the country. According to this article, personal data may only be transferred with the explicit consent of the data subject. However, the same article states that personal data may be transferred without the data subject’s explicit consent if the conditions specified in Articles 5 and 6 of the Law are met.

As a result of interpreting the relevant articles of the law:

  • Obtaining explicit consent of the data subject,
  • Clearly stipulated by law,
  • Mandatory for the protection of the life or physical integrity of the person or another person who is unable to express consent due to actual impossibility or whose consent is not legally valid,
  • Processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract,
  • Necessary for the data controller to fulfill its legal obligation,
  • Personal data has been made public by the data subject themselves,
  • Data processing is mandatory for the establishment, exercise, or protection of a right,
  • Provided that it does not harm the fundamental rights and freedoms of the data subject, data processing is mandatory for the legitimate interests of the data controller.

Transfer of Special Categories of Personal Data

  • With the explicit consent of the data subject,
  • In the case of personal data other than health and sexual life, if it is clearly provided for by law,
  • In the case of personal data regarding health and sexual life, such data may be transferred to third parties for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, or planning and management of health services and their financing, by persons or authorized institutions and organizations under the obligation of confidentiality.

Categories of Personal Data and Related Data Processors

Personal Data Category Related Data Processors
Identity Information Company Stakeholders, Company Officials, Company Employees, Business Partners, Job Applicants, Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Contact Information Company Stakeholders, Company Officials, Company Employees, Business Partners, Job Applicants, Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Location Data Company Stakeholders, Company Officials, Company Employees
Transaction Security Information Company Stakeholders, Company Officials, Company Employees, Business Partners, Job Applicants, Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Family Members and Relatives Information Company Stakeholders, Company Officials, Company Employees, Business Partners
Physical Security Information Company Stakeholders, Company Officials, Company Department Job Applicants, Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Financial Information Company Stakeholders, Company Officials, Company Department Job Applicants, Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Audio/Visual Information Company Stakeholders, Company Officials, Company Department Job Applicants, Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Personal Information Company Stakeholders, Company Officials, Company Department
Legal Transaction Information Company Stakeholders, Company Officials, Company Department Job Applicants, Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Special Categories of Personal Data Company Stakeholders, Company Officials, Company Department Job Applicants, Visitors, Company and Group Company Customers, Potential Customers and Third Parties
Request/Complaint Management Information Company Stakeholders, Company Officials, Company Department Job Applicants, Visitors, Company and Group Company Customers, Potential Customers and Third Parties

Rights of the Data Subject

Rights of the person whose data is processed are regulated under Article 11 of the Law No. 6698. Accordingly:

  • You can find out whether your personal data is being processed, and if so, request information about it.
  • You can learn the purpose of processing your personal data and whether they are used in accordance with the purpose.
  • You can learn who your personal data is transferred to domestically or abroad.
  • You can request the correction of your personal data if it is incomplete or incorrectly processed.
  • You can request the deletion or destruction of your personal data within the framework of the conditions set out in the law.
  • You can request that the correction, deletion, or destruction processes made upon your request be notified to third parties to whom your personal data has been transferred.
  • You can object to the emergence of a result against you by analyzing your processed data exclusively through automated systems.
  • If you suffer damage due to the unlawful processing of your personal data, you can request compensation.

Your requests regarding Personal Data Breach will be concluded free of charge within thirty days at the latest, depending on the nature of the request. However, if the process requires an additional cost for the Company, a fee may be charged according to the tariff determined in the Communiqué on the Procedures and Principles of Application to the Data Controller by the Personal Data Protection Board.

You can submit your application regarding the processing of your personal data by filling out the application form available on the Company's website or by following the procedures and principles specified in Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Controller:

  • In writing and signed, via notary or registered mail with return receipt
  • Via registered email (REM) address
  • With secure electronic signature or mobile signature
  • With notification to your email address
  • Via notification made through the phone number 0312 418 4129

It is recommended to keep the registration numbers given for the above notifications for file and process tracking purposes.

Update and Compliance

The Company reserves the right to make changes to this Policy and other relevant policies due to changes in the Law, decisions of the Personal Data Protection Board, or developments in the industry or information technologies.

Changes made to this Policy are documented immediately, and explanations regarding the changes are provided at the end of the Policy.

This Policy has been approved by the Executive Board of SÜMER ULUSLARARASI SANAYİ VE TİCARET A.Ş. on 1/1/2021. It shall be valid and binding as of this date.

You can access the complaint form you can submit to our Company, the complaint form to be submitted to the Personal Data Protection Authority, and this disclosure text and KVKK Policies via the link below: http://www.sumeras.com

Important Note:

  • The following principles were included in the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/9 regarding the Calculation of the Application and Complaint Periods to the Data Controller:
  • If the data controller responds to the relevant person's application within 30 days, the data subject may file a complaint within 30 days following the data controller's response, meaning there is no 60-day period from the application date to the data controller in such cases,
  • If the data controller does not respond to the application, the data subject may file a complaint with the Board within 60 days from the date of application to the data controller,
  • Considering that the data controller has no obligation to wait for a response after the 30-day period defined in the Law, in cases where the data controller responds after this period, a complaint may be submitted to the Board within 60 days from the date of application to the data controller, not within 30 days from the date of response.

With the Decision dated 24.01.2019 and numbered 2019/9 of the Personal Data Protection Board, it has been deemed appropriate to announce these matters to the public.