PRAMO İnşaat Mühendislik San. Tic. Ltd. Şti. – PRAMO Prefabricated Building Technologies
Publication Date: 01.09.2024
Version No: 1
Reference: Law No. 6698 on the Protection of Personal Data
1. PURPOSE
The right of every individual to request the protection of their personal data is a fundamental constitutional right.
As PRAMO, we consider fulfilling the requirements of this right as one of our most important responsibilities.
This policy has been prepared as a reflection of the importance we attach to data protection and defines the principles to be applied in the processing, protection, and management of personal data.
2. SCOPE
This policy covers all operations related to personal data managed by PRAMO, including the collection, recording, storage, preservation, disclosure, transfer, classification, or prevention of unauthorized use of such data through automated or manual means.
It applies to all personal data processed by PRAMO, including those of shareholders, executives, employees, customers, suppliers, and third parties.
3. DEFINITIONS
Personal Data: Any information relating to an identified or identifiable natural person.
Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller.
Explicit Consent: Freely given, specific, and informed consent regarding a particular issue.
Destruction: The deletion, destruction, or anonymization of personal data.
Commission: The Personal Data Protection Commission established within PRAMO and responsible for managing all KVKK processes.
4. GENERAL PRINCIPLES
When processing personal data, PRAMO adheres to the following principles:
Compliance with law and rules of honesty
Accuracy and up-to-dateness when necessary
Processing for specific, explicit, and legitimate purposes
Being relevant, limited, and proportionate to the purpose of processing
Retention only for the period required for the processing purpose
5. DUTIES AND RESPONSIBILITIES
The processes related to the processing and protection of personal data at PRAMO are managed by the Personal Data Protection Commission, consisting of representatives from General Management, Human Resources, Financial Affairs, and IT Departments.
The Commission meets at least twice a year and may convene extraordinarily when necessary.
Its duties include:
Updating policies and procedures,
Conducting KVKK awareness and training programs,
Identifying data security risks and implementing preventive measures,
Ensuring notifications in case of data breaches,
Keeping the data inventory updated.
6. DATA SECURITY MEASURES
6.1 Technical Measures
Network and application security are ensured.
Access logs are regularly maintained.
Firewalls and antivirus systems are used.
Physical security measures are implemented in data storage environments.
Data is regularly backed up.
Encryption and user authorization controls are applied.
6.2 Administrative Measures
Regular KVKK training sessions are provided to employees.
Access, retention, and destruction policies are established.
Authorization matrices are applied, and access rights are revoked during role changes.
Data security clauses are included in contracts.
Sensitive personal data is transferred through encrypted and secure channels.
Periodic internal audits are conducted.
7. RIGHTS OF DATA SUBJECTS
In accordance with Article 11 of the Law No. 6698, data subjects may apply to PRAMO to exercise the following rights:
To learn whether their personal data have been processed,
To request information about processing activities,
To learn whether the data is used in accordance with the purpose,
To learn about third parties to whom data is transferred,
To request correction of incomplete or inaccurate data,
To request deletion, destruction, or anonymization of personal data,
To object to decisions made exclusively through automated systems,
To claim compensation for damages arising from unlawful processing.
8. DATA BREACH NOTIFICATIONS
In case of any suspicion of a data breach, PRAMO employees must immediately report the situation to the Commission.
If the breach involves unlawful access to or acquisition of personal data, the incident shall be reported to the Personal Data Protection Authority within 72 hours in accordance with the law.
9. AMENDMENTS
Any amendments to this policy are prepared by the Commission and enter into force upon approval by the PRAMO Board of Directors.
Updated versions of the policy are communicated to employees and/or published on the company website.
10. EFFECTIVE DATE
This policy was approved by the PRAMO Board of Directors and entered into force on 01.09.2024.
