Special Cat Personal Data Policy
PROTECTION AND PROCESSING POLICY FOR SPECIAL CATEGORIES OF PERSONAL DATA
-1- INTRODUCTION
Special categories of personal data refer to information that may lead to discrimination or victimization if disclosed. The Personal Data Protection Law (KVKK) No. 6698 assigns particular importance to such data, requiring stricter protection measures. This policy outlines the procedures and guidelines established by the data controller, Çeşit Parlatıcı Zımpara Sanayi ve Ticaret Limited Şirketi ("Çeşit" or "the Company"), for safeguarding special categories of personal data.
Key Terms:
Law: KVKK No. 6698
Company: Çeşit Parlatıcı Zımpara Sanayi ve Ticaret Limited Şirketi
Policy: This document
Board: Personal Data Protection Board
-2- PURPOSE OF THE POLICY
The Company processes special categories of personal data in compliance with the Law and implements stringent technical and administrative measures to ensure their protection. Additionally, the Company adheres to the sufficient measures prescribed by the Board under Article 6(4) of the Law.
-3- SCOPE OF THE POLICY
This policy defines the principles and procedures for processing special categories of personal data in accordance with the Law, relevant legislation, and Board decisions. It also details the administrative and technical measures required for protection.
-4- DEFINITIONS
| Term | Definition |
|---|---|
| Data Controller | The natural or legal person determining the purposes and means of processing personal data and managing the data recording system. |
| Special Categories of Personal Data | Data relating to race, ethnicity, political opinion, religion, health, sexual life, criminal record, biometric or genetic data (as defined in Article 6 of the Law). |
| Explicit Consent | Freely given, informed, and specific consent. |
| Data Subject | The natural person whose personal data is processed. |
| Processing of Personal Data | Any operation performed on personal data, including collection, storage, modification, transfer, etc. |
-5- PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
Special categories of personal data may only be processed with the data subject's explicit consent, except where permitted by law.
Non-health data: Processed for purposes listed under Section 6, either with explicit consent or as permitted by law (Article 6(2)-(3) of the Law).
Health data: Collected only by authorized persons/institutions for public health, medical diagnosis, treatment, or healthcare financing purposes, or with explicit consent.
-6- PROCESSED PERSONAL DATA AND PURPOSES
Special categories of personal data are processed for:
Employee recruitment and contractual obligations
Occupational health and safety activities
Legal compliance and regulatory reporting
Insurance and benefits administration
Archiving and record-keeping
Data Categories Processed:
Health Data: Medical reports, prescriptions, consultation records.
Criminal Record Data: Disciplinary records, judicial history.
-7- RETENTION PERIODS
| Process | Retention Period |
|---|---|
| Employee Health Records | 10 years after employment ends. |
| Criminal Record Checks | 10 years after employment ends. |
Data is deleted, destroyed, or anonymized per the Personal Data Retention and Disposal Policy upon expiry.
-8- TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA
Such data is shared only with authorized persons/institutions, either as required by law or with explicit consent. Transfers abroad are generally prohibited unless legally permitted.
-9- ACCESS TO SPECIAL CATEGORIES OF PERSONAL DATA
Non-health data: Access is restricted to relevant departments (e.g., HR) and requires explicit consent or legal authorization.
Health data: Accessible only to occupational health units under confidentiality obligations.
-10- PROTECTION MEASURES
The Company implements the following technical and administrative measures, as mandated by the Board’s Decision No. 2018/10:
1. Policy Framework: A separate, systematic policy governs special categories of personal data.
2. Employee Training & Controls:
Regular training on data security.
Confidentiality agreements with employees/third parties.
Role-based access controls and periodic audits.
Immediate revocation of access upon role changes/termination.
3. Electronic Security:Encryption for stored/transferred data.
Secure logging of all data activities.
Regular security updates and penetration testing.
Two-factor authentication for remote access.
4. Physical Security:Restricted access to physical storage areas.
5. Secure Transfers:Encrypted emails/KEP for electronic transfers.
Encrypted portable media with separate key storage.
VPN/sFTP for server-to-server transfers.
"Confidential" labeling for physical documents.
-11- DATA SUBJECT RIGHTS
Data subjects may exercise their rights under Article 11 of the Law (e.g., access, rectification, erasure) per the Personal Data Application and Response Procedure and the Personal Data Protection and Processing Policy.
Contact:
Data Controller: [Name/Title]
Email: [Email Address]
Address: [Company Address]
