TEMSA SKODA SABANCI ULAŞIM ARAÇLARI ANONIM SIRKETI (TEMSA)

PERSONAL DATA PROCESSING AND PROTECTION POLICY

1. PURPOSE AND PRINCIPLES

Protection of personal data is highly sensitive to TEMSA Skoda Sabancı Ulaşım Araçları Anonim Şirketi (TEMSA or Company) and its affiliates and is among our Company’s top priorities. Personal Data Processing and Protection Policy (the Policy) sets out the principles of data protection and processing rights of the Company’s customers, potential customers, web-site users, employees, employee candidates, previous employees, visitors and shareholders and directors of the Company with respect to their personal data collected, processed and protected subject to the Law on Protection of Personal Data No. 6698 (LPPD) and General Data Protection Regulation (GDPR).

2. PERSONAL DATA PROCESSING POLICY

2.1. Principles of Personal Data Processing

TEMSA processes personal data in compliance with LPPD and GDPR. Our personal data principles notes that the personal data shall be:

  • Processed lawfully and fairly.
  • Accurately and where necessary, kept up to date.
  • Processed for specific, clear and legitimate reasons.
  • Used and disclosed in limited and reasonable manner.
  • Kept no longer than predetermined periods noted in the related legislation or necessary for the purposes of processing.

2.2 Reasons of TEMSA for Processing Personal Data

TEMSA informs the relevant persons when collecting personal data. TEMSA heads light on the identity of TEMSA and its representatives (if applicable), the purpose for processing the personal data, to whom and why the processed personal data may be transferred, the method for collecting personal data, the lawful reasons for collection and the rights of the relevant persons.

TEMSA processes personal data subject to the conditions and in accordance with the purposes listed below.

2.1.1. Terms

  • TEMSA may process personal data if it is required to fulfil a legal obligation or if law requires the personal data or allows these transactions;
  • TEMSA may process personal data in case the processing of personal data is directly related to and necessary for signing or performing a contract [Personal data may be processed to draft a proposal before concluding a contract or to fulfil the inquiries of such relevant persons as a result of a contract.];
  • TEMSA may process personal data provided that it is made anonymous and for the limited purposes of transforming such data into an anonymous form;
  • TEMSA may process personal data in case it is required to establish, use or protect the rights of TEMSA, of the individuals whose data is being processed or of other parties;
  • TEMSA may process personal data for its own legitimate interest provided that the fundamental rights and freedoms of the persons whose data is processed are not violated [legitimate interests are interests that are in line with the law, morals and customs including commercial and material interests];
  • TEMSA may process personal data to protect the data owner’s or someone else’s life or bodily integrity even when it is impossible or not legally valid for the personal data owner to express consent;
  • TEMSA may process private personal data except the ones related to the health and sex life of the data owner, in circumstances defined in applicable laws.

If the conditions stated above do not exist, TEMSA shall ask for the explicit consent to process personal data from the personal data owners.

2.1.2. Purposes

Your personal data shall be processed in accordance with the following purposes stated below:

  • Contractual processes such as sales, after-sales support and car-renting, execution and follow-up of all required transactions, starting, evaluating and concluding rental demand process of car rental customers, performing risk assessments, performing contractual processes and planning operational processes and execution regarding car rentals,
  • Preparing and managing customer registrations,
  • Executing obligations regarding after sales support, valuation of damage and accident processes, performing and follow-up of loss in damage processes,
  • Performing financial and accounting processes including invoice activities regarding sales and executing risk assessments,
  • Executing evaluation, analyses and risk assessments with customers in accordance with legal boundaries,
  • Follow-up of guarantee obligations, motor insurance and insurance processes,
  • Performing customer relations and execution of corporate governance activities,
  • Managing and follow-up of customer demands and complaints,
  • Improving and developing the services of our Company, determining and implementing commercial and business strategies,
  • Maintaining operations and business, performing Company activities and procedures,
  • Risk assessment, ensuring business continuity, follow-up of contractual processes or legal demands,
  • Planning information security processes, establishing and managing information technology infrastructure,
  • Ensuring the legal and commercial services with the products and services offered by our Company to the individuals who have business relations with our Company,
  • Planning and follow-up of work carried out with business partners, subsidiaries or distributors,
  • Follow-up and execution of legal processes and communication processes with government agencies,
  • Follow up, planning and conducting credit evaluation transactions to be made by credit provider companies in case of application for credit facilities offered by the credit-provider companies for our products and/or services,
  • Developing and updating the efficiency reports by obtaining information on customer-based developments,
  • Planning and organizing activities to make marketing researches to ensure and/or increase its commitment to product and services,
  • Programming and follow-up of sales, marketing and promotion of products and services,
  • Organization and follow-up of activities such as vehicle test drives,
  • Control and analysis of customer data for the purpose of planning and follow-up of employee’s performance evaluation processes and/or business activities
  • Planning and execution of specific sales and marketing activities,
  • Customizing products and services in accordance with your tastes, usage habits and needs,
  • Planning and execution of activities such as gifts and gestures for the customers in accordance with their tastes, usage habits and needs,
  • Proposing campaign and offers to the customers by evaluating their shopping histories and sending e-mails messages to the customers or potential customers prior to their shopping histories,
  • Customizing, advertising and planning and execution of activities related to the products and services according to the tastes, usage habits and needs of the individuals for the purposes of establishing or increasing the commitment to the products and services offered by our Company, executing satisfactory and commitment surveys,
  • Sending marketing instruments, campaigns, proposals and activity invitations to the potential rental customers, vehicle purchase customers and/or other customers, planning, executing and keeping the registrations of activities and organizations.

2.3. Processing Personal Data of Candidate Employees

TEMSA shall process personal data of candidate employees in order to fulfil the legal obligations pursuant to Labor Law and related regulation and to perform determined recruitment activities of TEMSA HR department provided that TEMSA shall inform employee candidates and ask for the explicit consent to process personal data from the employee candidates. Personal data of candidate employees shall be collected and processed during job interviews and/or any written or electronic methods. Since TEMSA is an international company and holds information systems in different countries and it is possible for new candidates to be evaluated in different positions, personal data of candidate employees may be transferred other TEMSA’s subsidiaries located other countries pursuant to regulations. TEMSA shall inform public authorities as required by regulation. The main purpose of the processing of personal data of employee candidates is recruitment and personal data shall also be processed for the following purposes:

  • To evaluate qualifications, experience and interest of the employee candidate for open position(s);
  • If necessary; to check the accuracy of the information given by the employee candidate or contact the third-party individuals (such as references) to conduct research on the employee candidate;
  • To contact the employee candidate regarding process of application and recruitment or where appropriate; to contact with the employee candidate for any open positions in such country or abroad;
  • To fulfil the requirements of the relevant regulation or the request of the authorized institution(s).

The personal data of employee candidates shall be kept for a period in compliance with the deadlines referred to in under the Article titled Retention Periods for Personal Data of the current this Policy. Following the deadlines, the personal data shall be terminated or anonymized.

3. SECURITY OF PERSONAL DATA

TEMSA shall take necessary measures to provide an appropriate level of security to prevent illegal processing of the personal data, illegal access to personal data and to ensure protection of personal data and prevent illegal processing by third parties.

4. TRANFERRING PERSONAL DATA

4.1. Domestic Transfer of Personal Data

TEMSA may transfer personal data and private personal data to third parties (its business partners, shareholders, affiliates, public institution(s) in which TEMSA has legal obligation to and other third parties) by taking all the safety measures defined and in compliance with regulations.

4.2. Cross Border Transfer of Personal Data

TEMSA may transfer personal data being processed in Turkey or being processed and stored overseas, as mentioned above, including that data being processed via external resource usage, to unrelated persons in Turkey or overseas, on condition that it is transferred in line with the conditions defined in the regulation, taking all the safety measures defined in regulation or, if applicable, the contract signed with the data owner. Under exceptional conditions where explicit consent is not required to transfer personal data defined in regulation, in addition to the processing and transfer requirements it is required that sufficient protection is available in the country where the data is to be transferred. Personal Data Protection Board (Board) shall determine whether sufficient protection is provided. If there is not sufficient protection, data personnel both in Turkey and overseas need to approve sufficient protection in writing and the Board needs to grant a permission for the purpose.

4.3. Institutions and Entities to which Data is Transferred

TEMSA may share the information requested by public legal entities due to their authority and subject to conditions of regulations. Other persons and institutions to whom the personal data might be transferred for the purposes mentioned above are as follows: subsidiaries and/or direct/indirect domestic/overseas institutions and other unrelated persons, who provide services, cooperate with TEMSA, alongside of TEMSA, for taking data security measures such as the protection of all kinds of personal data and preventing unauthorised access and illegal processing.

5. RETENTION PERIODS FOR PERSONAL DATA

TEMSA applies the principle that, in case available, the personal data shall be kept for the periods specified in the relevant laws and regulations. In case a retention period is not determined with the relevant legislations, the personal data shall be deleted, terminated or anonymized after being processed for the time required for the practices of TEMSA and commercial practices or the statutory time limits prescribed by the relevant laws depending on the activity carried out for that transaction. In accordance with the relative legislations, durations for retention and deletion of personal data are as follows:

Retention and Deletion Periods of TEMSA

Category of Data Retention Period (Following the termination of the Relation) Regular Deletion Periods

Data arising out of contractual relationship (General statute of limitation regulated on Turkish Code of Obligations) 10 (ten) Years Periodically within the month in which ten (10) years has expired for each data and/or within the six (6) month data deletion cycles determined by the data controller after the expiry of such retention period.

Data arising out of tenancy

5 (five) Years Periodically within the month in which five (5) years has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller after the expiry of such retention period.

Data regarding employees’ wage rights

5 (five) Years Periodically within the month in which five (5) years has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller after the expiry of such retention period.

Medical examination data of Employees

15 (fifteen) Years Periodically within the month in which fifteen (15) years has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller after the expiry of such retention period.

Tax-related records 5 (five) Years Periodically within the month in which five (5) years has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller after the expiry of such retention period.

Processed personal data of consumers

2 (two) Years Periodically within the month in which two (2) years has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller after the expiry of such retention period.

Personal data of employee candidates 6 (six) Months Periodically within the month in which six (6) months has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller before the expiry of such retention period.

Personal data of visitors 6 (six) Months Periodically within the month in which six (6) months has expired for each data and/or within the six (6) months data deletion cycles determined by the data controller before the expiry of such retention period.

6. THE RIGHTS OF PERSONS WHOSE PESONAL DATA IS BEING PROCESSED BY TEMSA AND HOW DO DATA OWNERS MAKE USE OF THEIR RIGHTS

Persons whose personal data is processed by TEMSA have the following rights to:

  1. Learn whether her/his personal data is being processed;
  2. Request information as to the possibility of processing of his/her data,
  3. Learn the purposes of such processing of personal data and whether processed data is being used in accordance with these purposes,
  4. Learn whether his/her personal data is being transferred within the country or to abroad,
  5. Request amendment in case his/her personal data processed is incomplete or inaccurate and request that the process carried out in this context to be notified to the third parties to whom the personal data is transferred,
  6. Request the deletion or termination of his/her personal data in the event that the reasons for its processing are no longer present, despite having been processed in accordance with the laws, and request that the process carried out in this context to be notified to the third parties to whom the personal data is transferred,
  7. Request that the parties to whom his/her data is transferred are informed of the transactions carried out as per paragraphs (d) and (e),
  8. Object to the occurrence of a result to the detriment of the person himself/herself, by means of analysing the processed data exclusively through automated systems,
  9. Request compensation for the damages in case the person incurs damages due to unlawful processing of his/her personal data.

You may exercise your rights within the scope of the LPPD and GDPR in writing.

Such notifications could be sent to our Company’s headquarter address Sarıhamzalı Mahallesi, Turhan Cemal Beriker Bulvarı No.563/A 0111110Seyhan/Adana – Turkey or to our Istanbul branch at Kısıklı Caddesi, Şehit Teğmen İsmail Moray Sokak, No: 2/1 34662 Altunizade/Istanbul – Turkey.

You may use the Application Form at our website for the purposes. Please find below the link for such form:

Application Form

Your inquiries noted in your application shall be evaluated within the shortest time and within thirty (30) days at the latest.

7. DELETION, TERMINATION AND ANONYMISATION OF PERSONAL DATA BY TEMSA

Even if personal data is processed as per the terms of the relevant law, if the reason for processing the data no longer exists, the personal data shall be deleted, terminated or anonymised upon a decision by TEMSA or the request of the personal data owner.

TEMSA reserves the right to reject the data owner’s request in cases where TEMSA has the right or is obliged to keep the data as per the terms of relevant regulation.

TEMSA shall delete, terminate or anonymise the personal data within six (6) months upon the end of retention periods set forth in relevant regulation or at the end of the required processing period, by using one or more of the anonymizations and deletion techniques specified in the guidelines for Deleting, Termination or Anonymizing Personal Data published by the Board.

8. OTHER ISSUES

If there is a conflict between this Policy and the LPPD, GDPR and the terms of other relevant regulation, the LPPD, GDPR and other relevant regulation shall prevail.

TEMSA may make changes or update in this Policy in line with legal regulations and its Company policies. The new Policy reflecting all these changes and updates shall be published at the Company’s website.