Version: 2.01
Date of modification: 10.05.2023

1. PURPOSE and SCOPE

As Hallstock B.V (“Hallstock B.V”, “Company”), we attach importance to the protection of your personal data and private information. Therefore, as Data Controller, your personal data will be used, recorded, We show all the necessary effort and care to process it in accordance with the Law on the Protection of Personal Data No. 6698 (“KVK Law”) by being stored, updated, transferred and/or classified.

In this context, in accordance with the Laws and Regulations issued by our Company to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, and to protect personal data, in order to prevent unlawful processing of your personal data, to prevent unlawful access and to ensure its preservation, appropriate security is provided. All technical and administrative measures are taken to ensure the level of

The target audience of this text is all real persons and our employees whose personal data are processed on our websites and corporate processes. As Hallstock B.V, we provide services over the internet through our web-based and cloud-based services (“Services”). This Illumination Text covers all of the software, sites and applications in question.

Our Websites: www.insaaluminyum.com

Personal information processed on our sites is processed in accordance with the legislation on the protection of personal data. Regarding our web-based services, we are in the status of "data controller" only for those who open a user account and use our websites, and this Privacy Policy is only valid for the processing of data belonging to these individuals.

Customers who process and save data using our services are data controllers independent of us. In these cases, since we are only in the status of "data processor" as the Company, we recommend that you refer to our Customers' own privacy policies, clarification texts and similar documents that process your personal data when necessary.

On the other hand, we do not give any guarantee regarding the data security and data protection practices and policies of third party websites to which we link on our Sites. In this regard, we recommend that you review the data security and data protection policies of the relevant data controller separately.

3. Identity of the Data Controller

Hallstock B.V (or the "Enterprise*) is in the status of "Data Controller" and has legal obligations towards all real persons with whom it contacts and processes personal data, especially employees, employee candidates, customers, suppliers, supplier employees and visitors. obliged to fulfill it.

Hallstock B.V processes your personal data as the "Data Controller" defined in Article 3 of the Personal Data Protection Law No. 6698, and the contact information is below:

Hallstock B.V is in the status of "Data Controller" against the real persons concerned in terms of the personal data of the visitors of the websites and the users of the services provided over the internet. Hallstock B.V, as a data controller, fulfills its obligations arising from laws and Board decisions by taking appropriate and measured technical measures with administrative measures.

As the "Data Controller", our contact information regarding our imprint and personal data is as follows:

4. BASIC CONCEPTS

Explicit consent: Consent on a specific subject, based on information and expressed with free will Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by pairing it with other data p>

Relevant person: Natural person whose personal data is processed

Personal data: Any information relating to an identified or identifiable natural person

Employee who touches personal data: Employees who process personal data of relevant persons on behalf of the organization as per their job description

Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system

Committee: Monitoring all personal data processes carried out by the organization, its units and employees, established in accordance with the "Directive on the Duties and Responsibilities of the KVK Committee" within the organization, controlling whether the policies are complied with, personal data processes within the organization Internal Committee with duties such as conducting on behalf of

Board: Personal Data Protection Board

Authority: Personal Data Protection Authority

KVK: Personal Data Protection Law No. 6698

Special Quality Personal Data: People's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or unions, health, sexual life , data on criminal convictions and security measures, and biometric and genetic data

Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller

Data registration system: The registration system in which personal data is structured and processed according to certain criteria

Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

Joint data controller: The other data controller with whom the organization shares personal data within the scope of its commercial and corporate activities, and carries out processing activities on personal data jointly during this sharing.

Independent data controller: Other independent data controllers who process personal data of the same persons for commercial and corporate purposes

5. PURPOSE OF PROCESSING PERSONAL DATA

Personal data belonging to the persons concerned in our organization, completely and directly related to the activities of the organization and the commercial, business or legal relationship with the relevant person;

• Aims of Management Processes:
  • Execution of commercial activities,
  • Ensuring business continuity, ensuring legal and administrative job security,
  • Planning and execution of business and implementation strategies,
  • Management of occupational health and safety processes,
  • Presentation, promotion and information about the organization, services and products,
  • Fulfillment of obligations arising from legislation and contracts,
  • Ensuring physical space security in and around the organization,
  • Getting legal support,
  • Using printed, periodic and non-periodical publications with electronic and other social media tools,
  • Execution of dealership processes
  • Establishing and maintaining communication with members of the press and media,
  • Informing the public about the activities,
  • Conducting job interviews in a timely and effective manner
  • Completion of the works in a timely and appropriate manner
  • Planning and executing activities at local, national and international levels,
  • Managing relations with domestic and foreign business partners and group companies,
  • Execution of intellectual and industrial property transactions,
  • Promoting, marketing and informing about the organization, products and services,
  • Receiving notifications and feedback from customers and potential customers,
  • Providing technical support to customers,
  • Answering questions from customers and potential customers
  • Providing support for electronic billing services,
  • Participating in events such as fairs, seminars,
• Purposes for Employees:
  • Creation and execution of employment contracts of employees,
  • Fulfillment and implementation of the services offered to the employees,
  • Providing socio-economic benefits to employees,
  • Execution of domestic and international assignment, travel and accommodation processes,
  • Planning and executing human resources processes,
  • Recruitment, execution of business relationship, execution of performance evaluation processes,
  • Creating personal files, storing them in physical and electronic media,
  • Time tracking,
  • Execution of exit procedures and interviews,
  • Execution of performance and audit activities,
• Aims about Information Processes:
  • Creating and updating information and communication infrastructure
  • Managing users of IT tools and systems,
  • Management of corporate e-mail accounts,
  • Management of corporate social media accounts,
  • Managing, auditing and closing the e-mail accounts of employees leaving the job,
  • Management, monitoring, control of portable and/or desktop electronic devices,
  • Execution of transactions regarding website members,
  • Ensuring data security and archiving data,
  • Keeping internet access logs,
  • Tracking the vehicles and users of the organization,
  • Personal data is processed for the purposes of protecting and managing digital assets and rights of customers.

6. RELATED PERSONS whose PERSONAL DATA IS PROCESSED

Hallstock B.V generally and intensively processes the data of the persons concerned within the scope of this Privacy Policy and other administrative and technical measures. In the processing of personal data belonging to real persons outside these categories, the data processing policies of the organization, especially this Privacy Policy, will be complied with. The natural person categories whose personal data are being processed are as follows:

• Employees,
• Employees with an indefinite employment contract,
• Those in charge of trainee and on-the-job training programs,
• Job Applicants,
• Customer representatives and employees,
• Supplier representatives and employees,
• Consultants and Auditors,
• Public officials,
• Our Visitors,
• Visitors of the Websites,
• Potential customers and users,
• Our Dealers

7. LEGAL REASONS AND CATEGORIES OF PROCESSED PERSONAL DATA

7.1. Personal Data of Our Employees, Employees and Interns Who Provide Service with Indefinite Term Employment Contracts

Personal data of the employees, employee candidates and interns of the organization,

• Business Agreement,
• Labor Law No. 4857,
• Turkish Code of Obligations No. 6098,
• Social Insurance and General Health Insurance Law No. 5510,
• Law No. 6331 on Occupational Health and Safety,
• 4632 Private Pension Savings and Investment System Law,
• Execution and Bankruptcy Law No. 2004,
• Law No. 4904 on Some Regulations Regarding the Turkish Employment Agency,
• Vocational Education Law No. 3308,
• Turkish Commercial Code No. 6102,
• Electronic Signature Law No. 5070,
• Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts,
• Regulations on Social Insurance Transactions,
• Identity Notification Law No. 1774,
• Regulation on Payment of Wages, Premiums, Bonuses and All Kinds of Remuneration of this nature through Banks

It operates in accordance with similar laws, regulations and communiqués.

In this context, the organization includes categories of employees' identity, communication, personnel, finance, professional experience, physical space security, legal action, transaction security, risk management, audiovisual records and other information, belief, association membership, foundation membership, health information. processes special quality data such as criminal convictions and security measures.

7.2. Personal Data of Job Applicants

Identity, personal, contact, family information, finance, personal information, personal information, personal information, family information, finance, which are shared with us by online employment platforms and/or talent agents, which are shared with us voluntarily by the job applicants by means of CVs, letters of intent, or forwarded to be shared with all relevant organizations voluntarily. We process personal data such as education, professional experience and habits, as well as special data that they share voluntarily, such as association and foundation memberships that they record in their resumes.

7.3. Personal Data of Real Person Suppliers and Corporate Supplier Representatives

Personal data of natural person suppliers and corporate supplier representatives with whom the organization is in contact while carrying out its commercial activities,

• Service Agreement,
• Turkish Code of Obligations No. 6098,
• Execution and Bankruptcy Law No. 2004,
• Turkish Commercial Code No. 6102,
• Tax Procedure Law No. 213,
• General Communiques of the Tax Procedure Law

and similar laws, regulations and communiqués. The organization processes the personal data of real persons and representatives of customers and suppliers in the categories of identity, communication, finance, legal action and other information.

7.4. Personal Data of Auditors, Consultants and Public Employees

Personal data of auditors, consultants and public employees who carry out control and audit duties in order to carry out commercial and manufacturing activities of the Organization and to ensure its sustainability and quality,

• Turkish Commercial Code No. 6102,
• Customs Law No. 4458,
• Tax Procedure Law No. 213,
• Labor Law No. 4857,
• Law No. 4904 on Some Regulations Regarding the Turkish Employment Agency,
• Social Insurance and General Health Insurance Law No. 5510,
• General Communiques of the Tax Procedure Law,

It operates in accordance with similar laws, regulations and communiqués.

In this context, the organization processes the personal data of auditors, consultants and public officials in the categories of identity, communication and personnel.

7.5. Personal Data of Real Person Customers and Corporate Customer Representatives

Our products and services are purchased, tested and managed with a user account created on our website. We process the personal data of users who use our own services on their own behalf or corporately in the categories of identity, personnel, communication, customer transactions, and finance.

7.6. Personal Data of Our Visitors

Personal data of visitors in order to ensure information and facility security,

• Law No. 5651 on Regulation of Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts,

We are processing within the scope of our legitimate interest.

In this context, personal data of visitors in categories such as Identity, Transaction Security, Physical Space Security are processed.

7.7. Personal Data of Site Visitors and Members

In accordance with our legitimate interests, the personal data of those who visit our websites are processed through "cookies". For more information about cookies, we ask you to review our "Cookie Policy".

7.8. Personal Data of Our Potential Customers

Apart from the advertisements on our sites, we can inform our users, trial users, customers and potential customers about new products or services via e-mail, social media or telephone, with their consent. Our potential customers can request information from us through the forms on our website. The persons concerned may object to such promotional, advertising and promotional communications at any time. In addition, those who do not want to receive such e-mails and SMS messages can block the messages, use the cancellation option or request to be deleted from the lists by contacting us. We process the information of our potential customers such as identity, contact, personnel, finance, customer transactions.

We also have a newsletter to inform those interested in our products and/or services. Each newsletter contains a link from our newsletter where you can unsubscribe. Those who want to cancel the subscription can do so through their account settings. We process the personal data of our potential customers in the categories of identity, personal and communication, but limited to this scope.

7.9. Personal Data of Our Dealers

Identity, communication and personal data of the representatives of our dealers who take part in the sales, marketing and after-sales support services of our products and services,

• Dealership Agreement
• Turkish Code of Obligations No. 6098,
• Execution and Bankruptcy Law No. 2004,
• Turkish Commercial Code No. 6102,
• Tax Procedure Law No. 213,
• General Communiques of the Tax Procedure Law

and similar laws, regulations and communiqués

8. RIGHTS OF THE RELATED PERSON

The Organization accepts that within the scope of the Law, the data subject has the right to obtain consent before the data is processed, and that it has the right to determine the fate of the data after the data is processed.

In this sense, the relevant persons apply to the Contact Person;

• a) Learning whether personal data is processed,
• b) Requesting information on personal data if it has been processed,
• c) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
• ç) To know the third parties to whom personal data is transferred in the country or abroad,
• d) Requesting correction of personal data in case of incomplete or incorrect processing,
• e) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
• f) request that the transactions made pursuant to subparagraphs (d) and (e) be notified to third parties to whom personal data has been transferred,
• g) Objecting to the emergence of a result against you by analyzing the processed data exclusively through automated systems,
• ğ) In case you suffer damage due to unlawful processing of personal data, it can exercise its right to demand the compensation of the damage.

However, individuals do not have a right to anonymized data within the Company. Personal data can be shared with relevant institutions and organizations in case of legal authority by a judicial or public authority as a requirement of business and contractual relationship.

Requests within the scope of the enumerated rights are made by filling in the Institution Application Form completely and submitting it to the Contact Person with your wet signature, registered letter with return receipt, and copies of your identity card (only the front page for the identity card).

9. BASIC RULES TO BE FOLLOWED IN PROCESSING PERSONAL DATA

Hallstock B.V units and employees will pay attention to the following basic rules, on which the Privacy Policy and other corporate policies are built, while processing the personal data of the persons concerned.

• Compliance with the rules of law and honesty: Whether the personal data collected by the organization itself or shared with it by other parties are fulfilled, such as informing the relevant person specified in the KVK, and obtaining the explicit consent of the data subject for processing the data when necessary. Checks and queries whether it is not returned. It acts in accordance with the rules of honesty when responding to the information of the related persons, obtaining their explicit consent or responding to their applications for information.
• To be accurate and up-to-date when necessary: The organization tries to ensure that the personal data it processes and keeps in databases contains accurate information as far as control mechanisms allow. It takes care to keep the data as updated as possible. It encourages data sources to share accurate information and update on changes. It pays attention to check that the data is correct and up-to-date at the stage of collection.
• Processing for specific, clear and legitimate purposes: The organization processes personal data only for specific, clear and legitimate purposes set out in this Privacy Policy.
• To be connected, limited and proportionate to the purpose for which they are processed: The organization takes care not to process personal data for any purpose other than the purpose for which they are processed, to inform the relevant person when such a need arises, and to obtain his explicit consent when necessary. It uses data only for the purpose for which it is processed and to the extent required by the service. It does not process, use and make use of data other than for business purposes. When personal data needs to be processed for another purpose, corrections are made in compliance and control tools under the supervision and approval of the Committee.
• Terminal Loyalty: The organization takes care to preserve personal data for as long as required by the relevant legislation or for the purpose for which they are processed. It keeps the personal data arising from the contract within its body as long as the conflict periods in the relevant Laws, the requirements of the commercial and tax law. However, when these purposes disappear, the organization deletes or anonymizes personal data. How long the data in each category will be kept is determined in the Personal Data Inventory.
• Data Reduction: The organization, its units and employees collect data in categories related to the purpose, except for the scope and periods required by the laws and relevant legislation, but in the amount required by the processing purpose and take care to process it in its systems as long as necessary.
• Data Reduction: /li>
• Deletion and Disposal: The organization keeps the personal data it processes for as long as it is bound by the laws, social security, debts, tax and commercial law, limited to the periods stipulated in the relevant field legislation and/or for the periods required by the processing purpose. . In the event that these periods expire, it deletes, destroys or anonymizes the expired personal data in accordance with the Personal Data Retention, Deletion, Destruction and Transfer Policy and with the permission and supervision of the Committee.
• Privacy and Data Security: In all processes of processing, transferring and storing personal data in the organization, care is taken to ensure general privacy rules and data security, and actions are taken in accordance with the policy documents and rules created for this purpose. Care is taken to take necessary administrative and technical measures.

10. TRANSFERRING PERSONAL DATA

Hallstock B.V makes use of domestic and international service and product suppliers in order to be able to carry out production-oriented and commercial activities, and to carry out the activities that require expertise as an institution, and according to their job descriptions, activities and the nature of the service they provide, "data processor", "data controller" ” or “joint data controller” may transfer personal data to these suppliers, business partners or authorized institutions and organizations.

10.1. Matters to be Considered in Personal Data Transfer

• During personal data sharing, data transfer is secured by signing a data transfer agreement, undertaking or similar documents with all parties to whom data is transferred.
• Each unit and employee should take care of the risks that the addressee to whom personal data is transferred may pose in relation to personal data, and take care to avoid situations that may create risks.
• In the use of applications and services originating abroad, care is taken to comply with relevant legislation such as KVK and GDPR.
• During data transfers to parties and suppliers, ensuring data security with appropriate and secure means and channels, monitoring whether the real persons to whom personal data are transferred are authorized by the addressee, copies and copies of personal data created for the purpose of transfer, if any, are deleted from all channels as soon as their functions are terminated. Attention is required.
• The organization's units and employees are obliged to observe the sensitivities and practices of the parties and suppliers to whom they transfer data regarding personal data, and to notify their superiors of situations that may pose a risk in a timely manner. Employees of the organization should request the necessary support from their superiors in a timely manner for the situations and problems that they cannot resolve regarding personal data.

10.2. Situations to which Personal Data is Transferred and Parties to which Transfer is made

Personal data are shared with the following parties for the following purposes:

• To private institutions and organizations such as group companies, business partners, subsidiaries, consultancy firms, other service suppliers and public institutions and organizations in the country and abroad, when necessary for the planning and fulfillment of commercial activities carried out by the Organization,
• To real and legal persons serving in these fields and the third parties they work with in order to ensure business continuity, legal, technical and commercial occupational safety, human resources, occupational health and safety, planning and execution of emergency processes and strategies;< /li>
• Persons with whom the organization has signed a contract within the framework of the services provided and the third parties they work with,
• Suppliers that provide outsourcing services for the services provided by the organization or that provide socio-economic benefits to the employee and the third parties they work with,
• To internal departments, our group companies, previous or future employers,
• Our business partners, consultants, suppliers, private institutions and organizations, courts, public institutions and organizations and competent authorities when necessary for the organization to fulfill its legal obligations,
• To the relevant banks for the necessary payment and collection transactions and fulfillment of the obligations within the scope of the establishment and performance of the contracts made by the Organization,
• To insurance agencies and insurance companies so that employees can benefit from insurance and similar rights
• Legal, accounting/SMM offices, lawyers and other consultants in order to receive legal and financial support within the scope of establishment, use and protection of the rights of our organization,
• To service providers in Turkey and abroad that provide the necessary infrastructure and services for corporate electronic communication channels and cloud services to ensure data security;
• Instant messaging, file sharing, video conferencing, electronic mail, etc. Platforms and applications of foreign origin that we provide services to use online communication channels and tools,
• The supplier we provide services for the provision and authorization of services such as electronic signature, corporate phone line,
• With the supplier organizations providing services in these fields, in order to increase the motivation of the employees, to strengthen the team spirit, to send support messages on their special days, to organize events, and to reward the successful employees,
• Inspectors and domestic or foreign-origin auditing companies who conduct audits in order to carry out quality, social and other audits received by the organization or carried out at the request of customers,
• Personal data are transferred to private and public institutions/organizations in order to carry out legal and technical processes related to works and transactions that are subject to intellectual and industrial property.

10.3. Transfer of Personal Data Abroad

Hallstock B.V shares personal data with service providers residing abroad for the purposes of running our website, developing services, executing office work and operations, providing services to users and visitors, ensuring their satisfaction, meeting their expectations, and communicating. In this context,

• US Whatsapp (Facebook) for instant messaging and,
• With US-based Zoom and Google for video conferencing,
• With US-based Tawk.to for customer support and requests,
• With US-based Google and Wetransfer for file sharing,
• With Anydesk from Germany for remote access,
• With US-based Apple and Google for mobile operating systems and bundled services,
• For Social Media services, it is shared with USA origin Facebook, Twitter, Instagram, Youtube and Google.
• Shared with SendinBlue, originating in France, for mailings.

You can find the privacy policies of each service provider at the following links:

• Microsoft (https://privacy.microsoft.com/en-us/privacystatement)
• Whatsapp (https://www.whatsapp.com/legal/client)
• Google (https://policies.google.com/privacy?hl=en-US)
• Wetransfer (https://wetransfer.com/legal/privacy)
• Anydesk (https://anydesk.com/en/privacy)
• Facebook (https://www.facebook.com/policy.php)
• Twitter (https://twitter.com/en/privacy)
• Instagram (https://help.instagram.com/519522125107875)
• Linkedin (https://www.linkedin.com/legal/privacy-policy)
• Cloudflare (https://www.cloudflare.com/privacypolicy/)
• Tawk.to (https://www.tawk.to/privacy-policy/)
• SendinBlue (https://www.sendinblue.com/legal/privacypolicy/)

11. AUDIT, REFERENCES AND DATA VIOLATION NOTIFICATIONS

The organization can make necessary internal and external audits regarding the protection of personal data.

Applications made by the relevant persons are answered by the Committee within 30 days at the latest by taking the opinion of the relevant unit.

When the organization is notified of any violation of personal data, it is notified to the KVK Board without delay and within 72 hours at the latest from the date of learning of this situation. It also informs the relevant parties and persons in the same way.

12. UPDATE

This policy document is updated when the organization's personal data processing conditions, tools, purposes and scope change and the parties to which personal data are shared change. Updates made on each item are kept in a separate table.