OUR INTEGRATED MANAGEMENT SYSTEM POLICY
Within the scope of providing piloting and towing, importing and selling grit material services, removing the solid wastes from water at Aydınlı Bay of Tuzla and cleaning it by sweeping and providing port operation/management, Environmental Management Services and building watercrafts (vessels and/or ships) and carrying out maintenance and repair works;
- Contributing to the national economy by strengthening the international competitive position of our stakeholders,
- Receiving feedback with the awareness of meeting the expectations and needs of our stakeholder in an effective efficient manner, to continuously improve our process activities to meet the expectations and needs in accordance with the information obtained through these feedbacks,
- To produce fast solutions at the point of services offered to our stakeholders by providing information and system superiority with advanced technological studies,
- After assessment of necessities;
To continuously improve development, performance and process activities of our employees by training and informing them on subjects of personal development, gaining expertise, raising awareness, qualification and management systems etc,
By creating areas for social activity and organizing projects for social responsibility; we make sure that all our employees take part in social events, activities and projects and increase their motivation, - To ensure continuous improvement of “Environmental Management System” and “OHS management system and OHS performance” for increasing the performances of “Quality Management System and Environmental performance”,
- Increasing positive environmental impacts and preventing and/or reducing negative environmental impacts to prevent Environmental Pollution through effective and efficient use of natural resources and raw materials
- Preventing injuries and health (mental, physical and spiritual) deterioration in order to create a healthy and safe work environment and making sure that they are applied effectively by taking measures to reduce the OHS risk levels created by hazards to an acceptable level
- Within the scope of management systems; to fulfill applicable requirements, to fulfill obligations in accordance with environmental and OHS legislations and to undertake to comply with other requirements,
- To ensure that the opinions of our employees and employee representatives are taken before making decisions on the issues related to the OHS Management System and that they are included in the decision-making activity regarding to these issues,
- To provide the best service to our stakeholders with our experienced and expert staff and at free of any cost, while evaluating and solving complaints, requests and questions of our our stakeholder, where all our communication channels are open to our stakeholders, and our stakeholders can submit their complaints, requests and questions 24/7, their requests and questions are handled objectively, without prejudice, fairly and confidentially, and are evaluated in a way that is not contrary to legal requirements and our company policy and after the evaluation, effective, realistic and applicable solutions are offered, and necessary improvements and controls are made continuously to prevent the same dissatisfaction from recurring, and the rights of our customers, who always deserve the best, are always protected,
These are the policies that GİSAŞ undertakes and applies in order to maintain and strengthen its competitive position with a focus on the coming years.
GENERAL MANAGER
PDRD POLICY
This Personal Data Retention and Disposal Policy (“Policy”) on subjects of saving, destroying and anonymization of personal data, in accordance with the Law (PDRD) on the Protection of Personal Data No. 6698 and Regulation (“Regulation”) on Deleting, Destroying or Anonymization of Personal Data issued based on the law, was prepared by Gemi İnşa Sanayi A.Ş., (GİSAŞ) Company, as the data controller, to fulfill the obligations anticipated and to inform the data owners on issues, foremost for determining the maximum periods required for purpose of processing personal data and regulating the processes of anonymization, deletion and destruction of data.
Explicit Consent: It means consent about a specific subject, based on being informed and expressed with free will,
Anonymization: It refers to turning personal data into a form so that it cannot be associated with an identified or identifiable natural/real person in any way, even if it is matching with other data,
Physical Destruction: It is the process of being physically destroyed such as such as melting, incinerating, or pulverizing optical and magnetic media.
Destruction: It means deletion, destruction or anonymization of personal data,
Relevant User: It refers to the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, except the person or unit /department responsible for the technical storage, protection and backup of the data,
Law: It means the Law on Protection of Personal Data No. 6698,
Recording Environment: It refers to any environment where personal data is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system,
Personal Data: It refers to any information relating to an identified or identifiable natural/real person,
Personal Data Saving Table: It refers to the table showing the periods during which personal data will be stored within the Company,
Personal Data Processing Inventory: It refers to the inventory created by the data controllers depending on data controllers’ work processes by associating the personal data processing activities being performed by data controllers with the purposes for processing personal data, data category, the recipient group that the data is conveyed to and group of person subject to data, explaining in detail the maximum time required for the purposes for which personal data is processed, the personal data planned to be transferred to foreign countries, and the measures taken in regards to data security.
Deletion of Personal Data: It refers to the process of making personal data inaccessible and unusable or reusable for the relevant users in any way.
Destruction of Personal Data: It means the process of making personal data inaccessible, unrecoverable and unusable or reusable by anyone,
Sensitive Personal Data: It means the data related to the race, ethnicity/ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions, and personal biometric and genetic data taken in regards to security measures.
Periodic Destruction: it refers to the deletion, destruction or anonymization process, which will be carried out automatically at repetitive intervals and as specified in the personal data storage and destruction policy, in case all requirements for processing personal data in the law are eliminated,
Company: GISAS Shipbuilding Industry Inc.
Overwrite: Refers to the process of preventing the recovery of old data by writing random data consisting of 0s and 1s at least seven times on magnetic media and rewritable optical media,
Data Recording System: The recording system in which personal data is structured and processed according to certain criteria,
Regulation/Directive: Refers to the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.
In the implementation of this policy, recording media means any environment where personal data is stored. The Company stores the personal data it processes in the following recording environments in accordance with the relevant legislation, especially the Personal Data Protection Law, and by taking the most up-to-date measures regarding data security.
In this context, the recording environments in the Company,
– NAVISION
– BT DATA CENTER
– REGISTRATION
– TURKCELL DATA CENTER
– FIREWALL
– Unit Cabinets
– Archive Cabinets
Personal data of data owners may be processed by the Company for the following purposes:
- Making the necessary evaluations to determine your suitability for the job due to your job application, finalizing your application and contacting you when necessary.
- Signing and performance of the employment contract,
- Protection of rights arising from employment contracts and legislation,
- Monitoring the activities of the personnel and ensuring job control,
- Performing necessary actions within the framework of provisions of relevant legislation, especially the Labor Law, the Occupational Health and Safety Law and the Social Security Law.
- Increasing the levels of performance and employee satisfaction within the framework of human resources policy,
- Providing suitable personnel for vacant positions within the scope of company’s human resources policies,
- Executing personnel termination processes in case of termination of the employment contract.
- Ensuring internet security and authorization management,
- Follow-up of requests and complaints of our employees
- Giving information to authorized institutions based on legislation,
- Follow-up of finance and/or accounting works
- Follow-up of legal affairs and protection of rights
- Ensuring occupational safety, general safety and building security
- Fulfillment of obligations arising from the partnership of the company
- Fulfillment of obligations arising from company partnership
- Ensuring coordination with the members of the board of directors, conducting the company’s business affairs and execution of the contract
- Drawing, signing and execution of consultancy contract.
In the following cases the personal data of the data owners are deleted, destroyed or anonymized, automatically by the Company or upon request and in accordance with the Regulation:
- Changing or repealing the provisions of the relevant legislation, which is the basis for the processing or storage of personal data,
- The elimination or removal of the purpose requiring the processing or storage of personal data,
- Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law.
- Concerning or the relevant person withdrawing his consent, in cases where the processing of personal data takes place only on the basis of expressing consent,
- The application made by the concerning person in regards to the deletion, destruction or anonymization of personal data is accepted by the data controller,
- Presenting complaint to the Board and approval of this request by the Board; in cases where the data controller rejects the application made to him by the data subject with the request of the deletion, destruction or anonymization of his personal data, his answer is found insufficient or he does not respond within the time stipulated in the Law.
- The absence of any conditions justifying the retention of personal data for a longer period of time, even though the maximum period for keeping personal data has passed.
Technical Measures:
- Personel knowledgeable in technical matters are employed.
- Access authorizations are limited and authorizations are reviewed regularly.
- Physical files are protected in steel cabinets, preventing access by unauthorized persons.
- Software and hardware including virus protection systems and firewalls are used.
- Backup programs are used in accordance with the law to ensure that personal data is kept securely.
- Inappropriate accesses or attempts to make accesses by logging onto the data storage areas where personal data are stored are instantly communicated to the relevant parties.
Administrative Measures:
- Employees are informed and trained about the law of protection of personal data and the processing and storage of personal data in accordance with the law.
- Personnel who will process, store and access personal data are determined in the Personal Data Inventory.
- Except for the Company’s instructions and the exceptions made by law, clauses that impose the obligation not to process, disclose or use personal data are placed in the agreements between the Company and the employees, and the awareness of the employees is created in this regard; employees are informed that the personal data they have learned cannot be disclosed to others in violation of the provisions of the KVK Law and cannot be used for purposes other than processing, and this obligation will continue after they leave their job.
Technical Measures Taken for Legally Disposal of Personal Data:
- Necessary software has been purchased to provide the cyber security infrastructure, and measures such as firewall and gateway have been set up.
- Software updates are made regularly to ensure that the security measures work properly.
- Access to personal data stored both physically and electronically is limited, and the persons authorized to access are determined in advance.
- In order to be protected from malicious software, products such as antivirus and anti-spam, which regularly scan the information system network and detect dangers, are used, and these are kept up-to-date and necessary files are scanned regularly.
- All user transactions are logged and recorded.
- Security problems are detected quickly and reported to the relevant person immediately.
- Physical recording environments are protected against external risks such as fire, flood, and flooding, and access to these environments is controlled.
- Personal data in electronic media are regularly backed up, taking into account the possibility of registration or damage.
Administrative Measures Taken for the Legal Disposal of Personal Data
- Employees are informed and trained on the law of protection of personal data and the destruction of personal data in accordance with the law.
- Personnel who will destroy the Personal data registered in the Personal Data Inventory have been determined.
- Personal data storage and destruction activities carried out within the company are audited.
- The technical measures taken are reported to the person concerned.
- Personnel knowledgeable in technical matters are employed.
Personal data must be deleted by methods suitable for recording media.
Personal Data Deletion Methods
Personal Data in Cloud Systems: Data must be deleted in the cloud system by issuing a delete command. It should be noted that the relevant user does not have the authority to restore the deleted data on the cloud system while performing the aforementioned operation.
Personal Data on Paper: Personal data on paper is deleted using the blackout method. The blackening process is done by cutting the personal data on the relevant document when possible, and in cases where it is not possible, making it invisible to the relevant users by using fixed ink, which cannot be read with technological solutions.
Office Files on the Central Server: They are deleted with the delete command in the operating system.
Personal Data in Portable Media: It is deleted with appropriate software.
Personal Data Destruction Methods
Personal Data in Local Systems: Physical destruction is destroyed by using the appropriate overwrite method.
Personal Data in Environmental Systems:
- Network devices (switches, routers, etc.): De-magnetizing, physical destruction, overwriting is destroyed by using the appropriate method.
- Flash-based media: It is destroyed using the methods recommended by the relevant manufacturer, or by using the appropriate method of physical destruction or overwriting.
- Sim Card and hard memory cards: They are destroyed using the appropriate physical destruction or overwriting method.
- Optical discs: Destroyed by physical means.
- Peripherals such as printer with fixed data recording medium, fingerprint door access system: are destroyed by using the appropriate physical destruction or overwriting methods.
Personal Data on Paper: Personal Data on Paper is destroyed using paper shredders.
Methods of Making Personal Data Anonymous
In the process of making personal data anonymous, the appropriate method of making Personal Data Anonymous is used, which is shown in the Manual on Deletion, Destruction or Anonymization of Personal Data published by the Personal Data Protection Authority.
PERSON RESPONSIBLE FOR PROCESS | JOB | RESPONSIBILITY |
Administrative Affairs Manager
|
Administrative Affairs Department- Personal Data Storage and Destruction Policy Implementation Manager | Ensuring that the data processed by the department he/she manages are stored in accordance with the storage period in this data storage and destruction policy and management of personal data destruction process during periodic destruction periods. |
Director of Human Resources | Human Resources Department – Personal Data Storage and Destruction Policy Implementation Manager | |
Accounting Manager | Accounting Department – Personal Data Storage and Destruction Policy Implementation Manager | |
IT (Data Processing) Manager | IT (Data Processing) Department – Personal Data Storage and Destruction Policy Implementation Manager | |
Occupational Health and Safety Office Supervisor | OHS Office Supervisor– Personal Data Storage and Destruction Policy Implementation Manager | |
Director of Environmental Department | Environmental Department – Personal Data Storage and Destruction Policy Implementation Manager |
DATA CATEGORY | RETENTION /STORAGE PERIOD | DISTRUCTION PERIOD |
Data requiring processing for entering into or performance of a contract or other data processed within this scope. | 10 years as of the date on which Contract expires in accordance with Turkish Code of Obligations | During the course of first periodical destruction following expiration of storage/saving period |
Personnel health data | 15 years as of the date on which employment ends in accordance with Occupational Health and Safety Legislation | During the course of first periodical destruction following expiration of storage/saving period |
Entering and exiting visitor data/records/video recordings for ensuring security of the building within the scope of legitimate interest. | 2 years | During the course of first periodical destruction following expiration of storage/saving period |
Information regarding to Company partners and member of Board of Directors. | 5 years as of the date on which the partnership period ends in accordance with Turkish Commercial | During the course of first periodical destruction following expiration of storage/saving period |
Information in regards to the tenant originating from Rental Agreement. | 5 years as of the date on which the contract expires in pursuant of Turkish Code of Obligations | During the course of first periodical destruction following expiration of storage/saving period |
Video recordings / records taken for establishment of building security and for doing personnel work follow ups. | 1 month | During the course of first periodical destruction following expiration of storage/saving period |
In cases which the relevant personal data is the subject of a criminal investigation or connected to of a criminal investigation | As long of a time as the statute of limitation found in 66th Article of Turkish Penal Code | During the course of first periodical destruction following expiration of storage/saving period |
Other data with an anticipated special storage period in legislation | As long of a time as storage period anticipated in the relevant legislation | During the course of first periodical destruction following expiration of storage/saving period |
Personal data processed based on consent | Until a deletion/removal of personal data request is made by the person of concern | Within 30 days as for the date on which the person of concern made the request |
Physical and digital data that have completed the legal storage and destruction periods are destroyed periodically. The company deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.
Periodic destruction is carried out at 6-month intervals for all personal data.
Transaction records regarding deletion, destruction and anonymization are kept for 3 years.
EXPLANATION TEXT ON PROCESSING PERSONAL DATA
Hereby this Explanation Text was written by GİSAŞ Gemi İnşa Sanayi A.Ş., acting as the data controller, for the purpose of making explanations and providing information in regards to data processed by security cameras in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”).
- Purposes of Processing Your Personal Data
GISAS processes your personal data in order to ensure general security and building security.
- Persons/organizations to whom personal data can be transferred
Your personal data collected by GİSAŞ may be shared with legally authorized public/government institutions for the above-mentioned purposes, within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law.
- Collection Method and Legal Reasons for Collecting Your Data
Your personal data is collected by GİSAŞ through security cameras within the scope of legitimate interests.
- Your rights in accordance with Article 11 of PDPL
You can exercise your rights in Article 11 of the Personal Data Protection Law by applying to our company. Your requests in your application will be finalized as soon as possible and within thirty days at the latest, depending on the nature of the request.
You can apply within the scope of PDPL provisions.
Person in Charge of Data: GISAS Shipbuilding Industry Inc.
Adress | : | Tersaneler Caddesi No:24 (34944) Tuzla – İSTANBUL |
Phone | : | +90 (216) 446 00 81 |
Fax | : | +90 (216) 446 06 83 |
: | [email protected] |