Policy on the Protection and Processing of Personal Data
Lotte Chemical Turkey Yüzey Tasarımları San. ve Tic. A.Ş. Policy on the Protection and Processing of Personal Data
Document Overview |
Name of Document |
Lotte Chemical Turkey Yüzey Tasarımları San. ve Tic. A.Ş.’s Policy on the Protection and Processing of Personal Data |
Target Audience |
All natural persons whose personal data are processed by Lotte Chemical Turkey Yüzey Tasarımları San. ve Tic. A.Ş. |
Underlying Legislation |
Law No. 6698 on the Protection of Personal Data and other secondary regulations |
Approved by |
Executive Board of Lotte Chemical Turkey Yüzey Tasarımları San. ve Tic. A.Ş. |
In case of any discrepancy between the original Turkish version of this Policy on the Protection and Processing of Personal Data and any translated version, the Turkish text will prevail.
This document cannot be reproduced or disseminated without the written permission of Lotte Chemical Turkey Yüzey Tasarımları San. ve Tic. A.Ş.
LOTTE CHEMICAL TURKEU YÜZEY TASARIMLARI SAN. VE TİC. A.Ş. POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
1. PURPOSE OF POLICY AND CONFIDENTIALITY COMMITMENT
2. SCOPE OF POLICY
3. DEFINITIONS
4. FUNDAMENTAL PRINCIPLES OF THE PROCESSING OF PERSONAL DATA
5. PROCESSING OF PERSONAL DATA
6. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
7. PERSONAL DATA PROCESSED BY THE COMPANY AND PURPOSES FOR PROCESSING
8. PERIOD OF RETENTION AND DESTRUCTION OF PERSONAL DATA
9. TRANSFER OF PERSONAL DATA
10 TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA
11. THE COMPANY’S OBLIGATION TO INFORM
12. THE RIGHTS OF DATA SUBJECTS
13. MANAGEMENT AND SECURITY OF PERSONAL DATA
14. AUDITS
15. RESPONSIBILITIES
16. CHANGES TO THE POLICY
17. ENFORCEMENT DATE OF THE POLICY
EK 1 - KİŞİSEL VERİ KATEGORİLERİ VE KİŞİSEL VERİLER’İN İŞLENME AMAÇLARI
LOTTE CHEMICAL TURKEU YÜZEY TASARIMLARI SAN. VE TİC. A.Ş. POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
1. PURPOSE OF POLICY AND CONFIDENTIALITY COMMITMENT
1.1. Lotte Chemical Turkey Yüzey Tasarımları San. ve Tic. A.Ş. (the “Company”) attaches utmost priority to the protection of your fundamental rights and freedoms and privacy in the processing of your personal data, particularly, the right to privacy, and consequently, the safeguarding of your personal data. Accordingly, this present PLotte Chemical Turkey Yüzey Tasarımları San. ve Tic. A.Ş.’s Policy on the Protection and Processing of Personal Data (the “Policy”) sets out the principles adopted by our Company for the conducting of the personal data processing activities undertaken by our Company and the fundamental principles adopted with respect to the compliance of our Company’s data processing activities with the regulations laid down particularly in the Law No. 6698 on the Protection of Personal Data and the secondary legislation and practices, whereby our Company informs the personal data subjects and ensures necessary transparency.
1.2. In this regard, our Company undertakes to process your personal data pursuant to the applicable legislation, this Policy and the procedures to be implemented on the basis of the Policy, in full awareness of our responsibility within this scope.
2. SCOPE OF POLICY
2.1. This Policy concerns all personal data pertaining to the natural persons whose personal data are processed, by automatic means or otherwise than by automatic means that form a part of the data filing system.
2.2. This Policy includes and applies to all data processing activities concerning the personal data which are being processed by the Company.
2.3. This Policy is not applicable for data which do not qualify as personal data.
2.4. This Policy may be amended from time to time upon the approval of the Executive Board if so required by the applicable legislation or as deemed necessary by the Company.
2.5. In case of any conflict between the regulations laid down in the applicable legislation and this Policy, the regulations laid down in the applicable legislation will prevail.
3. DEFINITIONS
The terms used in this Policy will have the meanings ascribed thereto below:
“Explicit Consent” freely given, specific and informed consent;
“Obligation to Inform” the obligation imposed on the Data Controller or the person authorized thereby to inform the Data Subjects while collecting Personal Data, pursuant to article 10 of the LPPD and the Communiqué on the Procedures and Principles to be Followed for the Fulfillment of the Obligation to Inform;
“Data Subject(s)” natural persons whose Personal Data are processed by the Company or person/institutions authorized on behalf of the Company;
“Disposal” the erasure, destruction or anonymization of Personal Data;
“Personal Data” any information relating to an identified or identifiable natural person (for the purposes of this Policy, the phrase “Personal Data” further covers “Special Categories of Personal Data” (as defined below) to the extent it is appropriate);
“Processing of Personal Data” any operation which is performed on data, whether or not (wholly or partly) by automated means, such as collection, recording, storage, retention, alteration, re-organization, dissemination, transmission, taking over, retrieval, classification or preventing the use of personal data, or provided that the process is a part of any data filing system, through non-automated means;
“Committee” the Company’s Personal Data Protection Committee;
“Board” Personal Data Protection Board;
“LPPD” Law No. 6698 on the Protection of Personal Data;
“PDP Regulations” all applicable legal regulations in force in relation to the protection of Personal Data, in particular the LPPD; Board decisions, Personal Data Protection Authority’s guidelines and public announcements, decisions / instructions of other regulatory and supervisory authorities, courts and other public authorities; and all regulations which may subsequently enter into force regarding the protection of Personal Data and any amendments to be made thereto;
“PDP Procedures” the procedures setting out the obligations required to be complied by the Company, the Company’s personnel and the Committee pursuant to the policies enacted in relation to the protection of personal data;
“Special Categories of Personal Data” data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and attire, association, foundation or trade-union memberships, health, sexual life, criminal convictions and security measures, and biometrics and genetics;
“Data Processor” any natural or legal person processing personal data on behalf of the Data Controller, on the basis of the authority granted thereby; and
“Data Controller” any natural or legal person determining the purposes of and means for the processing of personal data, and being liable for the establishment and management of the data filing system.
4. FUNDAMENTAL PRINCIPLES OF THE PROCESSING OF PERSONAL DATA
4.1. Personal Data Processing in accordance with the Law and Principle of Good Faith
The Company processes Personal Data in accordance with the law, principle of good faith and principle of proportionality. In this regard, the Company processes Personal Data to the extent so necessitated by the Company’s business activities and as limited therewith.
4.2. Ensuring the Personal Data to be Accurate and if Necessary, Up- to-Date
The Company adopts any and all necessary measures in order to ensure that the Personal Data are complete, accurate and up-to-date throughout the period of processing such Personal Data. In this regard, the Company establishes necessary mechanisms for ensuring the accuracy and up-to-dateness of the Personal Data, and updates the Personal Data, as per the Data Subject’s requests for change of the Personal Data concerned, as per the PDP Regulations.
4.3. Personal Data Processing for Specified, Explicit and Legitimate Purposes
The Company will determine the purposes for which the Personal Data will be processed, prior to the Processing of Personal Data. In this regard, the Company clearly establishes the purposes for processing of the Personal Data, and processes the Personal Data in accordance with its business activities, for the purposes connected therewith. In this context, the Data Subjects will be notified as per the PDP Regulations, and if so required, the Explicit Consent of such persons will be obtained.
4.4. Personal Data Being Relevant, Limited and Proportionate to the Purposes for Processing
The Company processes Personal Data only in the nature and to the extent required for its business activities, and processes such Personal Data as limited to the specified purposes. In this regard, the Company refrains from processing Personal Data which are not related to or necessitated for the realization of the specified purposes.
4.5. Personal Data Being Stored Only for the Time as Prescribed in the Applicable Legislation or as Necessitated by the Purposes for which they are Processed
4.5.1. Personal Data are disposed at the end of the specified retention periods, as per the periodic disposal periods or according to the application of the Data Subject and with the specified methods of Disposal (erasure and/or destruction and/or anonymization). In such case, the Company will ensure that the third parties to whom/which Personal Data are transmitted also erase, destruct or anonymize Personal Data.
4.5.2. The Company keeps the Personal Data for the period that is required for the purpose for which they are processed and for the minimum period as stipulated in the applicable legislation. Within this scope, the Company initially determines whether any period is prescribed by the applicable legislation for the retention of Personal Data or not, and if any period is so designated, adheres to such period. If any statutory period has not been prescribed, Personal Data are stored for the period that is required for the purpose for which they are processed.
4.5.3. The Committee will be incumbent with the operation of the Disposal processes. In this regard, the necessary procedure will be established by the Committee.
5. PROCESSING OF PERSONAL DATA
The Company may process Personal Data solely on the basis of the procedures and principles listed below:
5.1. Explicit Consent
5.1.1. Personal Data may solely be processed with the Explicit Consent of the Data Subject if any of the other Personal Data processing conditions listed below is not satisfied.
5.1.2. In such a case, the Personal Data will be processed following the fulfillment of the Obligation to Inform the Data Subjects, and upon the granting – freely – by the Data Subjects of their Explicit Consent.
5.1.3. Explicit Consent will be attained from the Data Subjects with methods consistent with the PDP Regulations. Explicit Consent will be maintained by the Company in a demonstrable manner, as long as the period required under the PDP Regulations.
5.1.4. The Committee will be obligated to ensure the fulfillment of the Obligation to Inform, in terms of all Personal Data Processing operations, and the attainment of the Explicit Consent, if and when so required, as well as the maintenance of the Explicit Consent so attained. All department employees processing Personal Data will be obliged to adhere to the Committee’s instructions, this Policy and the PDP procedures.
5.2. Expressly Permitted by any Law
If the Personal Data of the Data Subject is expressly permitted by any law, i.e., in case of the existence of a clear provision on the Processing of the Personal Data under the applicable law; Personal Data will be processed pursuant to this condition for data processing.
5.3. Being Unable to Obtain the Explicit Consent of the Person Concerned due to De Facto Impossibility
Personal Data of the Data Subject can be processed in cases in which Explicit Consent cannot be given due to de facto impossibility or it is necessary to process the Personal Data in order to protect the life or physical integrity of the Data Subject or another person where the Data Subject is incapable of giving Explicit Consent.
5.4. Being Directly Related to the Conclusion or Performance of the Contract
If it is necessary to process Personal Data, provided that the Processing is directly related to the conclusion or performance of the contract to which the Data Subject is a party, the Personal Data pertaining to the Data Subject can be processed pursuant to this condition for data processing.
5.5. Personal Data Processing Required for the Company’s Compliance with a Statutory Obligation
Personal Data pertaining to the Data Subject may be processed if it is necessary for the Company to process Personal Data in order to comply with its statutory obligations.
5.6. Personal Data are Revealed to the Public by the Data Subject
In the event that the Personal Data are revealed to the public by the Data Subject, the Personal Data concerned may be processed, as limited to the purpose for publicity/disclosure.
5.7. Personal Data Processing Required for the Establishment or Protection of a Right
If it is necessary to process Personal Data for the establishment, exercise or protection of a right, the Personal Data pertaining to the Data Subject can be processed pursuant to this condition for data processing.
5.8. Personal Data Processing Required for the Legitimate Interests of the Company
If the processing of data is necessary for the Company’s legitimate interests, provided not to impair the fundamental rights and freedoms of the Data Subject, the Personal Data pertaining to the Data Subject can be processed pursuant to this condition for data processing.
6. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
6.1. Special Categories of Personal Data are processed by the Company in accordance with the principles and procedures which are prescribed in this Policy and by taking all necessary administrative and technical measures, including the methods which will be determined by the Board and in case of the existence of any condition below:
• Special Categories of Personal Data other than those relating to health and sexual life may be processed without the Explicit Consent of the Data Subject, if expressly permitted by law, i.e., if there is a clear provision on the processing of personal data in the applicable law. Otherwise, the Explicit Consent of the Data Subject will be sought for the processing of Special Categories of Personal Data other than those relating to health and sexual life.
• Special Categories of Personal Data relating to health and sexual life may be processed by persons under the confidentiality obligation (such as the occupational physician working under the Company’s payroll) or authorized institutions and organizations, without seeking Explicit Consent of the Data Subject, for the purposes of the protection of public health, the operation of preventive medicine, medical diagnosis, treatment and care services, the planning and management of healthcare services. Otherwise, the Explicit Consent of the Data Subject will be sought for the processing of Special Categories of Personal Data other than those relating to health and sexual life.
6.2. With respect to its employees who are involved in the Processing of Special Categories of Personal
6.2.1. Data, the Company will:
6.2.2. regularly provide training on PDP Regulations and the security of Special Categories of Personal Data;
6.2.3. Personal Data;
6.2.4. sign confidentiality (non-disclosure) agreements with such employees;
6.2.5. clearly define the scope and duration of authorization of the users who have been granted with
6.3. authorization to access Special Categories of Personal Data;†
6.3.1. periodically perform authorization controls;
forthwith revoke the authorizations in this regard and promptly take back the inventory allocated to the employees whose positions are changed or who resign/whose employment contracts are terminated.
In the event that the Special Categories of Personal Data are transferred to electronic mediums, the Company will perform the following acts in relation to the electronic mediums where Special Categories of Personal Data are processed, stored and/or accessed:
The Special Categories of Personal Data will be stored by using cryptographic methods;
6.3.2. The cryptographic keys will be kept in secure and different mediums;
6.3.3. All records of actions carried out over Special Categories of Personal Data will be logged securely;
6.3.4. Security updates of the mediums where Special Categories of Personal Data are kept will be continuously monitored, and the necessary security tests will be regularly undertaken or commissioned to be undertaken, with the test results being recorded;
6.3.5. If the Special Categories of Personal Data are accessed through a software, user authorizations concerning such software will be made, the security tests of such software will be regularly undertaken or commissioned to be undertaken, with the test results being recorded;
6.3.6. If the Special Categories of Personal Data are accessed remotely, at least a two-factor authentication system will be used.
6.4. In the event that the Special Categories of Personal Data are processed physically, the Company will perform the following acts in relation to the physical environments where the data are processed, stored and/or accessed:
6.4.1. Sufficient security measures (against stray voltage, fire, flood, theft etc.) will be adopted, depending on the nature of the environments where Special Categories of Personal Data are stored;
6.4.2. Physical security of such environments will be ensured, whereby unauthorized entrances-exits will be precluded;
6.5. In case of the transfer of Special Categories of Personal Data, the Company will:
6.5.1. use the encrypted corporate e-mail address or Registered Electronic Mail (KEP) account if Special Categories of Personal Data are required to be transferred via e-mail;
6.5.2. Encryption through cryptographic methods will be performed if Special Categories of Personal Data are required to be transferred via mediums such as flash memories, CDs, DVDs, and the cryptographic key will be kept separately;
6.5.3. If Special Categories of Personal Data are required to be transferred between servers in different physical locations, a VPN will be established between the servers or the transmission will be carried out by employing the SFTP method;
6.5.4. If the Special Categories of Personal Data are required to be transferred in hard copy, the necessary measures will be adopted against risks such as the theft or loss of the document or accessby unauthorized persons, and the document will be transmitted as “classified”.
6.6. In addition to the foregoing regulations, the Committee will be responsible for the adoption of measures and the establishment of mechanisms in compliance with the PDP Regulations, particularly the Personal Data Security Guidelines published by the Board, in relation to the security of the Special Categories of Personal Data.
7. PERSONAL DATA PROCESSED BY THE COMPANY AND PURPOSES FOR PROCESSING
In accordance with the Company’s purposes for the processing of Personal Data, the Company processes Personal Data in compliance with the general principles which are stipulated in the LPPD, in particular the principles set forth in Article 4 of the LPPD regarding the Processing of Personal Data, on the basis of and limited with at least one of the conditions for the processing of Personal Data as enumerated in Articles 5 and 6 of the LPPD, by informing the Data Subjects pursuant to Article 10 of the LPPD and secondary legislation. The list of categories of personal data which are processed within the framework of the purposes and conditions set forth in this Policy and detailed information on the categories may be reviewed at any time from the “Registration Search (Query)” screen of Data Controllers’ Registry Information System (VERBİS) of the Personal Data Protection Authority.
8. PERIOD OF RETENTION AND DESTRUCTION OF PERSONAL DATA
8.1. The Company keeps the Personal Data for the period that is required for the purpose for which they are processed and for the minimum period as stipulated in the applicable legislation. Within this scope, the Company initially determines whether any period is prescribed by the applicable legislation for the retention of Personal Data or not, and if any period is so designated, adheres to such period. If any statutory period has not been prescribed, Personal Data are stored for the period that is required for the purpose for which they are processed. Personal Data cannot be stored by the Company under any circumstances, in consideration of the likelihood of future use.
8.2. The Company will establish a Personal Data retention and Disposal policy in accordance with the Personal Data processing inventory, and will carry out all Disposal (erasure and/or destruction and/or anonymization) activities in conformity with the PDP Regulations and the applicable Personal Data Retention and Disposal policy. Personal Data are disposed at the end of the specified retention periods, as per the periodic disposal periods or according to the application of the Data Subject and with the specified methods of Disposal (erasure and/or destruction and/or anonymization). The Committee will be incumbent with the operation of the Disposal processes. In this regard, the necessary procedure will be established by the Committee.
9. TRANSFER OF PERSONAL DATA
9.1. The Company may transfer the Personal Data pertaining to Data Subjects, to third parties located in Turkey and/or abroad, in accordance with the PDP Regulations, by adopting the necessary security measures in accordance with the lawful purposes for the processing of Personal Data. In such a case, the necessary preventive regulations will be incorporated to the contracts to be executed with third parties.
9.2. The Company may transfer Personal Data to third parties located in Turkey and/or abroad, by adopting the necessary administrative and technical measures, in accordance with the PDP Regulations, despite the non-attainment of the Explicit Consent of the Data Subject, in the event of the existence of one or more of the following conditions:
- The activities regarding the transfer of Personal Data are expressly permitted by any law;
- The transfer of Personal Data by the Company is directly related to and necessary for the conclusion or performance of a contract;
- The transfer of Personal Data is necessary for compliance by the Company with a statutory obligation;
- The transfer of Personal Data is undertaken by the Company, as limited to the purpose for publicity/disclosure, provided that they are revealed to the public by the Data Subject;
- The transfer of Personal Data by the Company is necessary for the establishment, exercise or protection of the rights of the Company or the Data Subject or another person;
- The transfer of Personal Data is required for the legitimate interests of the Company, except where such interests are overridden by the fundamental rights and freedoms of the Data Subject;
- The transfer of Personal Data is necessary to protect the life or physical integrity of the Data Subject or another person where the Data Subject is incapable of giving consent due to de facto impossibility or the Data Subject’s consent is not legally valid.
9.3. In addition to the foregoing, Personal Data may be transferred to any foreign jurisdiction which is declared by the Board to ensure an adequate level of protection (“Foreign Jurisdiction Offering an Adequate Level of Protection”) in case of the existence of any condition above. In case an adequate level of protection is not ensured, Personal Data may be transferred - in accordance with the data transfer conditions which are prescribed by the legislation - to foreign jurisdictions (“Foreign Jurisdiction where a Data Controller Commits an Adequate Level of Protection”), if the data controllers in Turkey and the foreign country concerned so commit in writing to provide an adequate level of protection and if permission is given by the Board.
10. TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA
10.1. Special categories of personal data may be transferred by the Company in accordance with the principles which are stipulated in this Policy and by taking all necessary administrative and technical measures, including the methods which will be determined by the Board and in case of the existence of any condition below:
• Special Categories of Personal Data other than those relating to health and sexual life may be processed without the Explicit Consent of the Data Subject, if expressly permitted by law, i.e., if there is a clear provision on the processing of personal data in the applicable law. Otherwise, the Explicit Consent of the Data Subject will be sought for the processing of Special Categories of Personal Data other than those relating to health and sexual life.
• Special Categories of Personal Data relating to health and sexual life may be processed by persons under the confidentiality obligation (such as the occupational physician working under the Company’s payroll) or authorized institutions and organizations, without seeking Explicit Consent of the Data Subject, for the purposes of the protection of public health, the operation of preventive medicine, medical diagnosis, treatment and care services, the planning and management of healthcare services. Otherwise, the Explicit Consent of the Data Subject will be sought for the processing of Special Categories of Personal Data other than those relating to health and sexual life.
10.2. In addition to the foregoing, the Special Categories of Personal Data may be transferred to Foreign Jurisdictions Offering an Adequate Level of Protection in case of the presence of any of the conditions listed above. If there is not an adequate level of protection, the Special Categories of Personal Data may be transferred - in accordance with the data transfer conditions which are prescribed by the legislation - to the Foreign Jurisdictions where a Data Controller Commits an Adequate Level of Protection.
11. THE COMPANY’S OBLIGATION TO INFORM
11.1. The Company will inform the Data Subjects about the Processing of Personal Data prior to such processing, in accordance with Article 10 of the LPPD and the Communiqué on Principles and Procedures to be Followed for the Fulfillment of the Obligation to Inform”. Accordingly, the Company, in its capacity as the Data Controller, informs the Data Subjects, in accordance with the PDP Regulations, about the party/parties processing the Personal Data, the purposes for such processing, the recipient(s) to whom/which Personal Data are transferred and the purposes for such transfer, the methods of and legal basis for the collection of Personal Data and the rights possessed by the Data Subjects regarding the processing of Personal Data.
11.2. The Committee will establish the PDP Procedures required for the reporting to the Committee of all novel Personal Data Processing activities.
11.3. If the Data Processor is an external third party, such third party must commit to comply with the aforementioned obligations, in a written agreement, prior to any Processing of Personal Data. Each employee is obliged to run the procedure set forth in this Policy and the PDP Procedures in case of any transfer of Personal Data to the Company by any third party.
12. THE RIGHTS OF DATA SUBJECTS
12.1. The Data Subjects are entitled to:
- know whether your Personal Data are processed by the Company or not;
- request information thereon if your Personal Data have been processed;
- learn the purpose for the processing of your Personal Data and whether such data were used in conformity with such purpose or not;
- know about the third parties in Turkey or abroad to whom/which Personal Data are transferred;
- request the rectification of your Personal Data in case of incomplete or inaccurate processing;
- request the deletion or destruction of your Personal Data in case the disappearance of the reasons for lawful processing, although they are processed in accordance with the LPPD and other applicable legal provisions, and request the notification of third parties, to which/whom your Personal Data have been transferred, about this operation;
- object to any outcome reached to your detriment by means of the analysis of the processed data exclusively through automated means; and
- claim compensation in case you suffer damage due to unlawful processing of your Personal Data.
12.2. The Data Subjects may communicate their requests to exercise their rights which are listed in section 12.1 of this Policy, through the methods which are designated by the Board. In this regard, the Data Subjects may use Lotte Chemical Turkey Yüzey Tasarımları San. ve Tic. A.Ş.’s Data Subject Application Form which is accessible from https://www.belenco.com/en/data-subject-application-form.aspx. However, the Data Subjects should, in any case, check the current application methods, from the applicable legislation, prior to filing an application, and submit their applications according to the said procedures and principles.
12.3. In the event that the Data Subjects communicate their requests to exercise their aforelisted rights in writing; the Company will conclude their requests in accordance with the PDP Regulations, on a free of charge basis, at most within 30 (thirty) days, depending on the nature of the request. However, if the conclusion of the requests by the Data Controller requires an additional cost, the Data Controller may charge the fees in the tariff which is determined by the Board.
13. MANAGEMENT AND SECURITY OF PERSONAL DATA
13.1. The Company will set up a Committee to discharge its obligations under the PDP Regulations; to procure and oversee the preparation and implementation of the PDP Procedures which are required for the application of this Policy; and to make recommendations for the operation/functioning thereof.
13.2. The Company will adopt any and all necessary administrative and technical measures to ensure the safeguarding of the Personal Data in accordance with the PDP Regulations. In this regard, the Processing of the Personal Data by the Company will be inspected by the technical systems based on cost of applications and technological means.
13.3. Technically qualified personnel will be employed for the Personal Data Processing activities.
13.4. The Company’s employees will be informed and trained about the protection and lawful processing of Personal Data
13.5. The PDP Procedures which are necessitated to grant access to Personal Data by the employees who need to access such Personal Data will be drafted, and the Committee will be responsible for the preparation and implementation of such PDP Procedures.
13.6. The Company’s employees may access Personal Data solely within the scope of the authorization assigned thereto and in accordance with the PDP Procedures.
13.7. In case of any suspicion by the Company’s employees of the inadequate security of the Personal Data or identification thereby of any security vulnerabilities, they will forthwith notify it to the Committee.
13.8. Detailed PDP Procedures on the security of Personal Data will be drafted by the Committee.
13.9. Each person to whom a Company’s device is allocated will be responsible for ensuring the security of the device(s) so allocated for his/her use.
13.10. Each Company employee will be responsible for ensuring the security of the physical files under his/her area of responsibility.
13.11. In case of any security measures which are requested or to be requested additionally for ensuring the security of the Personal Data under the PDP Regulations, all employees will be obligated to comply with the additional security measures and to ensure the continuity of such security measures.
13.12. All of the Personal Data which are processed at the Company will be considered as “Confidential Information” by the Company.
13.13. The Company’s employees will be informed about the survival of their obligations as to the security and confidentiality of Personal Data, after the cessation of the employment relationship, and will sign a letter of undertaking that they will abide by such rules.
14. AUDITS
The Company is entitled to periodically audit the compliance by all of the Company’s personnel and the Data Processors with the PDP Regulations, this Policy and the PDP Procedures at any time and ex officio, without any prior notice, and will carry out all necessary regular audits to ensure compliance in this regard. The Committee will draft the PDP Procedures for such audits, and ensure the implementation of the aforesaid procedures.
15. RESPONSIBILITIES
The Committee which is incumbent with the preparation, revision and implementation of this Policy is assigned by the Company’s Executive Board, and the amendments to be made in this regard will again be made by following the same procedure.
16. CHANGES TO THE POLICY
16.1. The Company may amend this Policy at any time, upon the approval by the Executive Board.
16.2. The Company will make the current version of the Policy available to the Data Subjects by posting it on the website below:
Website(s) Concerned: www.belenco.com
17. ENFORCEMENT DATE OF THE POLICY
The present version of this Policy entered into force on October 15, 2022 upon the approval of the Company’s Executive Board.