INTEGRATED MANAGEMENT SYSTEM POLICY

Providing pilotage and tugboat services, Import and sale of Grit material, Cleaning of sea from solid wastes with Sea broom and Tuzla Aydınlı Bay, Porting service and Environmental Consultancy Service;

  • To contribute to the national economy by strengthening the international competitive position of our stakeholders,
  • To receive feedback with the awareness of continuously meeting the expectations and needs of our stakeholders in an effective and efficient manner, and to continuously improve our process activities to meet expectations and needs according to the information obtained through these notifications,
  • Providing information and system superiority with advanced technological studies and producing fast solutions in terms of services offered to our stakeholders,
  • After the needs assessment; 
    Personal development, gaining expertise, awareness raising, awareness raising, qualification, informing management systems and so on. To continuously improve the development, performance and process activities of our employees by providing trainings on issues, 
    to ensure the participation and motivation of all employees by creating social activity areas and realizing social responsibility projects,
  • To ensure continuous improvement of “Quality Management System”, Çevre Environmental Management System for improving environmental performance ”and“ OHS management system and OHS performance,,
  • Preventing and / or reducing the negative environmental impacts and increasing the positive environmental impacts,
  • Preventing injuries and health (physical and mental) deterioration and / or creating a safe working environment in order to ensure effective implementation of measures that will reduce the risk levels of OHS Hazards to acceptable levels,
  • Within the scope of management systems; to fulfill applicable requirements, to fulfill the obligations in accordance with the environmental and OHS legislation and to undertake to comply with other requirements,
  • All communication channels are open to our stakeholders, our stakeholders are able to communicate their complaints, demands and questions 24/7, requests and questions are handled objectively, without prejudice, fairly and confidentially, evaluated in a manner that does not violate legal conditions and company policy, and after the evaluation, effective, realistic and applicable solutions to provide the best service to our stakeholders with its experienced and expert staff without any fee while evaluating and solving the complaints, demands and questions, where all the necessary improvements and controls are made continuously, the rights of our customers who always deserve the best are always protected, while evaluating and solving the complaints, demands and questions,

GİSAŞ ‘s commitment to maintaining and strengthening its competitive position with a focus on future years.

GENERAL MANAGER

KVKK POLICY

This Personal Data Retention and Disposal Policy (“Policy,), the Law on the Protection of Personal Data (KVKK) and the Regulation on the Deletion, Destruction or Anonymousization of Personal Data (“ Regulation ”) issued on the basis of this Law (“ Regulation ”) in order to fulfill the foreseen obligations and to inform the data owners about these issues, in particular in order to determine the maximum periods required for the purpose of personal data processing and to organize the anonymization, deletion and destruction of the data. (GİSAŞ).

Open Consent: Consent   which is based on information and explained with free will on a certain subject,

Making anonymity: Even if personal data is matched with other data, making it impossible to associate with a certain or identifiable real person under any circumstances, 

Physical Destruction: The process of physical destruction of optical and magnetic media, such as melting, incineration or dusting.

Destruction: Deletion, destruction or anonymization of personal data, 

Related User: Persons who process personal data within the organization of the data officer or with the authority and instruction received from the data officer except the person or unit responsible for the technical storage, protection and backup of the data,

Law: The Law No. 6698 on the Protection of Personal Data,

 Recording Media: Any media containing personal data that is fully or partially automated or processed by non-automatic means provided that it is part of any data recording system,

Personal Data: Any kind of information about the person who is identified or identifiable, 

Personal Data Storage Table: A table showing the periods during which personal data will be stored within the Company, 

Personal Data Processing Inventory: The data processing activities of the data responsible according to the business processes; the inventory that they have created by linking the personal data with the purposes of data processing, the data category, the group of recipients transferred and the group of data subject, and detailing the maximum time required for the purposes for which the personal data were processed, the personal data envisaged to be transferred to foreign countries and the measures taken for data security, 

Deletion of Personal Data: Process of making personal data inaccessible and reusable in any way for the concerned users,

Destruction of Personal Data: The process of making personal data inaccessible, non-accessible and reusable by anyone, 

Personal Data : Biometric data about the race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures. and genetic data, 

Periodic Destruction: In the event that all the conditions of processing of personal data in the law are eliminated, the deletion, destruction or anonymization process will be carried out ex officio at repeated intervals specified in the policy of storing and destroying personal data 

Company: GISAS Shipbuilding Industry Inc.

Overwriting: It is the process of preventing the recovery of old data by writing random data of 0 and 1 at least seven times on magnetic media and rewritable optical media.

Data Recording System: The recording system in which personal data is structured and processed according to certain criteria,

Regulation: means the Regulation on the Deletion, Destruction or Making Anonymous of Personal Data published in the Official Gazette dated October 28, 2017.

In the implementation of this policy, recording media means any medium in which personal data is available. The Company stores the personal data it processes in accordance with the related legislation, in particular the Personal Data Protection Law, and by taking the most up-to-date measures regarding data security in the following recording media.

In this context, registration media in the Company,

– NAVISION

– BT DATA CENTER

– REGISTRATION

– TURKCELL DATA CENTER

– FIREWALL

– Unit Cabinets

– Archive Cabinets

Personal data of data owners may be processed by the Company for the following purposes:

  • To make the necessary evaluations to determine your suitability for your job application, to finalize your application and to contact you when necessary,
  • Establishment and execution of employment contract
  • Protection of rights arising from employment contract and legislation
  • Monitoring the activities of the personnel and ensuring the work supervision
  • To carry out the necessary procedures within the framework of the relevant legislation, in particular the Labor Law, the Occupational Health and Safety Law and the Social Security Law.
  • Increasing performance level and employee satisfaction within the framework of human resources policy
  • Provision of personnel suitable for open positions within the scope of the Company’s human resources policies
  • Exits of personnel in case of termination of employment contract
  • Providing Internet security and authority management
  • Monitoring of demands and complaints of our employees
  • Giving information to the competent authorities from the legislation
  • Monitoring of finance and / or accounting
  • Follow-up of legal affairs and protection of rights and
  • Ensuring occupational safety, general safety and building safety
  • Execution of partnership affairs
  • Fulfillment of obligations arising from company partnership
  • Ensuring coordination with the members of the board of directors, conducting the business of the company and performing the contract
  • Establishment and execution of consultancy agreement

Pursuant to the Regulation, the personal data of the data owners shall be deleted, destroyed or made anonymous by the Company on your own request or upon request:

  1. Amendment or abolition of the provisions of the relevant legislation which constitute the basis for processing or storing personal data,
  2. Eliminating the purpose of processing or storing personal data,
  3. Eliminate the conditions in articles 5 and 6 of the Law that require the processing of personal data.
  4. In case the processing of personal data occurs only with the express consent of the person concerned, the person concerned revoke his consent,
  5. The application of the person concerned for deletion, destruction or anonymization of his personal data is accepted by the data officer,
  6. In case the data officer rejects the application made by the person concerned with the request for deletion, destruction or anonymization of his personal data, his response is insufficient or he does not respond within the time period stipulated in the Law; Complaining to the Board and approval of this request by the Board,
  7. Although the maximum period for which personal data has been stored has elapsed, there is no requirement to justify the storage of personal data for a longer period of time.

Technical Measures:

  • Personnel with technical knowledge are employed.
  • Access rights are limited and reviewed regularly.
  • Physical files are protected in steel cabinets and unauthorized access is prevented.
  • Software and hardware including virus protection systems and firewalls are used.
  • In order to ensure the safe storage of personal data, legitimate backup programs are used.
  • Access to data storage areas with personal data is logged and improper access or access attempts are instantly communicated to those concerned.

Administrative Measures:

  • Employees are informed and trained on the protection of personal data and the processing and storage of personal data in accordance with the law.
  • Personal Data Inventory identifies the personnel who will process, store and access personal data.
  • Employees are informed that they will not be able to disclose the personal data they have learned to anyone else in contradiction with the provisions of the KVK Law and that they will not be able to use it for any purpose other than for processing purposes, and that this obligation will continue after their termination; Employees’ awareness is created in the agreements between the Company and the employees, with the exception of the Company’s instructions and exceptions provided for by law, which impose an obligation not to process, disclose and not use personal data.

Technical Measures Taken for Proper Disposal of Personal Data:

  • Necessary software has been taken to provide cyber security infrastructure and measures such as firewall and gateway have been established.
  • Software updates are regularly performed to ensure that security measures work properly.
  • Access to personal data stored both physically and electronically is restricted and the persons authorized to access are determined in advance.
  • In order to protect against malware, products such as antivirus, antispam, which regularly scans the information system network and detect hazards, are also kept up-to-date and the required files are regularly scanned.
  • All user transactions are logged and recorded.
  • Security issues are quickly identified and immediately reported to the person concerned.
  • Physical recording environments are protected against external risks such as fire, flood and flood and access is controlled.
  • Personal data in electronic form is regularly backed up, considering the possibility of registration or damage.

Administrative Measures for Proper Disposal of Personal Data 

  • Employees are informed and trained in the law on the protection of personal data and the proper disposal of personal data.
  • Personnel that will destroy the Personal data registered in the Personal Data Inventory have been identified.
  • Personal data storage and destruction activities carried out within the Company are audited.
  • The technical measures taken are reported to the person concerned.
  • Personnel with technical knowledge are employed.

Personal data must be erased in a manner appropriate to the recording media.

 

Methods for Deleting Personal Data

Personal Data on Cloud Systems: Data should be deleted by giving delete command in cloud system. It should be noted that the user concerned is not authorized to retrieve deleted data on the cloud system while performing this operation.

Personal Data on Paper: Deleted using the blackout method. The dimming process is performed in the form of cutting personal data on the relevant documents where possible and making them invisible to the relevant users by using fixed ink which is irreversible and not readable by technological solutions.

Office Files on the Central Server: Deleted with the delete command in the operating system.

Personal Data on Portable Media: Deleted with appropriate software.

 

Methods of Destruction of Personal Data

Personal Data on Local Systems:   Physical destruction is destroyed using the appropriate overwrite method.

Personal Data in Environmental Systems:

  1. Network devices (switches, routers, etc.): de-magnetizing, physical destruction, overwriting is destroyed using the appropriate method.
  2. Flash-based environments: Destroyed using the appropriate manufacturer’s recommended methods or physical destruction or overwrite methods.
  3. Sim Card and fixed memory cards: are destroyed using appropriate physical destruction or overwriting methods.
  4. Optical discs: destroyed by physical methods.
  5. Peripherals such as printer, fingerprint door access system with fixed data recording media: are destroyed by using the appropriate physical destruction or overwriting method.

Personal Data on Paper Media: Destroyed using paper disposal machines.

Methods of Making Personal Data Anonymous

In the process of making personal data anonymous, one of the methods of making Personal Data anonymous as shown in the Guide to Deleting, Destroying or Making Personal Data published by the Personal Data Protection Authority is used.

 

PROCESS RESPONSIBLE TASK RESPONSIBILITY
 

 

Administrative affairs manager

 

Administrative Affairs Department – Personal Data Retention Policy Officer Ensuring that the data processed by the department in which it is assigned corresponds to the retention period in this data laundering and destruction policy and the management of the personal data destruction process during periodic destruction periods.
Director of human resources Human Resources Department – Personal Data Retention Policy
Accounting Manager Finance Department – Personal Data Retention Policy
IT Manager Information Technologies Department – Personal Data Retention Policy
Occupational Health and Safety OHS Chief – Personal Data Retention Policy
Director of Environmental Department Environmental Department – Personal Data Retention Policy

 

DATA CATEGORY STORAGE TIME DISPOSAL TIME
Other data that is required or processed for the establishment or performance of a contract 10 years from the date of termination in accordance with the Turkish Code of Obligations During the first periodic destruction process following the end of storage period
Employee health data 15 years from the date of leaving in accordance with Occupational Health and Safety legislation During the first periodic destruction process following the end of storage period
Visitor entry and exit information to ensure building security within the legitimate interest 2 years During the first periodic destruction process following the end of storage period
Data on Company shareholders and members of the Board of Directors 5 years from the expiration of the partnership period pursuant to the Turkish Commercial Code During the first periodic destruction process following the end of storage period
Data on the tenant arising from the tenancy agreement 5 years from the date of the termination of the contract pursuant to the Turkish Code of Obligations During the first periodic destruction process following the end of storage period
Camera recordings to ensure the security of the building and follow up the work of the personnel 1 month During the first periodic destruction process following the end of storage period
If the personal data concerned is the subject of a criminal investigation or is related to the criminal investigation The case referred to in Article 66 of the Turkish Penal Code shall During the first periodic destruction process following the end of storage period
Other data foreseen in the relevant legislation During the storage period stipulated in the relevant legislation During the first periodic destruction process following the end of storage period
Personal data processed on consent Up to the request of the person concerned for deletion of personal data Within 30 days from the request of the person concerned

Physical and digital data that expires the statutory storage and disposal periods is periodically destroyed. The Company deletes, destroys or anonymises personal data during the first periodic destruction following the date when the obligation to delete, destroy or anonymize personal data arises.

Periodic destruction takes place at 6-month intervals for all personal data.

The transaction records for deletion, destruction and anonymization shall be kept for a period of 3 years.