Personal Data Protection
and Processing Policy
Introduction
Ender PVC Yapi Elemanlari San. ve Tic. A.S. ("COMPANY") places the protection of personal data at the forefront of its operations and considers it a primary priority. The Personal Data Protection and Processing Policy ("Policy") constitutes the fundamental regulation for aligning the personal data processing procedures and principles set forth by Law No. 6698 on the Protection of Personal Data ("Law") with the Company's organizational and business processes.
In line with this Policy, the Company processes and protects personal data with the highest level of responsibility and awareness, providing necessary transparency by informing data subjects.
Purpose, Scope & Legal Basis
1.1 Purpose
The purpose of this Policy is to ensure effective implementation of the procedures and principles set forth by the Law and related legislation by integrating them into Ender PVC's organizational processes. The Company takes all necessary administrative and technical measures, establishes internal procedures, raises awareness, and conducts all required training to ensure the lawful processing and protection of personal data.
1.2 Scope
This Policy covers all personal data obtained through automated means or non-automated means that form part of any data recording system, within the Company's business processes.
1.3 Legal Basis
This Policy is based on the Law and related legislation. Personal data is processed to fulfill legal obligations arising from Law No. 6502 (Consumer Protection), Law No. 4857 (Labor Law), Law No. 6331 (Occupational Health and Safety), Law No. 5510 (Social Insurance), Law No. 6102 (Turkish Commercial Code), Law No. 213 (Tax Procedure Law), and other applicable legislation.
In the event of any inconsistency between applicable legislation and this Policy, the applicable legislation shall prevail.
Definitions
Personal Data Protection Topics
2.1 Ensuring Data Security
The Company takes the necessary measures stipulated in Article 12 of the Law, appropriate to the nature of the data, to prevent unlawful disclosure, access, transfer, or other security incidents involving personal data. The Company takes measures and conducts audits to ensure the required level of personal data security in accordance with guidelines published by the Personal Data Protection Authority.
2.2 Protection of Sensitive Personal Data
Special category personal data — including race, ethnic origin, political opinion, philosophical belief, religion, sect, appearance, association/foundation/union membership, health, sexual life, criminal conviction, security measures, biometric and genetic data — is processed with the utmost care, applying all required safeguards and conducting necessary audits.
2.3 Raising Awareness
The Company provides necessary training to relevant parties to develop awareness regarding the lawful processing, access, safeguarding, and exercise of rights over personal data. The Company establishes required business processes, obtains consultant support when necessary, and evaluates training outcomes and legal changes to organize new training sessions as needed.
Processing of Personal Data
3.1 Principles of Lawful Processing
Personal data is processed in accordance with applicable legislation based on the following principles:
- Lawfulness and Good Faith: Processed to the extent required by business processes, without harming fundamental rights and freedoms.
- Accuracy and Currency: Necessary measures are taken to keep processed personal data accurate and up to date.
- Specific, Explicit and Legitimate Purpose: Processed in connection with the legitimate purposes determined and disclosed within business processes.
- Relevance and Proportionality: Collected to the extent required and processed in a limited manner tied to the defined purposes.
- Retention for Necessary Period: Retained for the minimum period prescribed by relevant legislation or required for the processing purpose, then destroyed by appropriate methods.
3.2 Legal Bases for Processing
Personal data is processed based on the data subject's explicit consent or, where applicable, one or more of the following conditions:
- Expressly provided for by law
- Necessary to protect the life or physical integrity of the person or another, where the person is unable to give consent
- Directly related and necessary for the establishment or performance of a contract to which the data subject is a party
- Necessary for the Company to fulfill its legal obligations
- Made public by the data subject, limited to the purpose of disclosure
- Necessary for the establishment, exercise, or protection of a right
- Necessary for the legitimate interests of the Company, provided fundamental rights and freedoms of the data subject are not harmed
3.3 Processing of Sensitive Personal Data
Sensitive personal data is processed only in the following circumstances, taking all required administrative and technical measures as determined by the Board:
- Explicit consent of the data subject
- Expressly provided for by law
- Necessary to protect the life or physical integrity of the person or another where consent cannot be given
- Related to personal data made public by the data subject and consistent with the intent of disclosure
- Necessary for the establishment, exercise, or protection of a right
- Required by persons under confidentiality obligations or authorized institutions for public health, preventive medicine, medical diagnosis, treatment, or health service planning
- Required to fulfill legal obligations in employment, occupational health and safety, or social security
- Directed at current or former members of foundations, associations, or non-profit organizations established for political, philosophical, religious, or trade union purposes
3.4 Informing Data Subjects
The Company informs data subjects in accordance with applicable legislation regarding: the purposes for which their data is processed, the parties with whom it is shared, the methods and legal basis of collection, and the rights of data subjects in relation to the processing of their personal data.
Transfer of Personal Data
The Company may lawfully transfer personal data to third parties (shareholders, board of directors, business partners, suppliers, customers, authorized public institutions, legally authorized private law persons, auditors, consultants, lawyers, contracted service providers) by taking necessary security measures in line with data processing purposes.
Conditions for Transfer
Subject to the explicit consent of the data subject, or alternatively based on one or more of the following conditions, personal data may be transferred to third parties:
- Expressly provided for by law
- Directly and necessarily related to the establishment or performance of a contract
- Necessary for the Company to fulfill its legal obligations
- Made public by the data subject, limited to the purpose of disclosure
- Necessary for the establishment, exercise, or protection of rights
- Necessary for the legitimate interests of the Company without harming fundamental rights of the data subject
- Necessary to protect life or physical integrity where consent cannot be obtained
Cross-border transfers are governed by Article 9 of the Law. Personal data may be transferred to countries declared as "Countries with Adequate Protection" by the Board, or to countries where adequate protection is committed in writing, subject to Board approval.
Personal Data Inventory Parameters
Ender PVC processes personal data belonging to the following data subject categories across its management, human resources, administrative, financial, planning-logistics, production, product development-quality, marketing-sales, and procurement business processes:
- Job applicants and employees
- Shareholders and partners
- Potential product or service buyers
- Interns
- Supplier representatives
- Product or service recipients
- Legal guardians and representatives
- Visitors
Detailed information on data categories, processing purposes, and data subject groups is available on the Company's website at www.enderpen.com.tr under the Data Subject Application section.
Security Measures
The Company takes all necessary technical and administrative measures to protect personal data processed in accordance with the procedures and principles set forth in the Law. Necessary audits are conducted and awareness and training activities are carried out within this scope.
In the event that processed personal data is unlawfully obtained by third parties despite all technical and administrative measures having been taken, the Company shall notify the relevant persons and units as soon as possible.
Retention and Disposal of Personal Data
The Company retains personal data for the period required for the processing purpose and for the minimum period prescribed by applicable legislation. If a period is specified in applicable legislation, that period is followed; if no statutory period exists, personal data is retained for the period required for the processing purpose.
At the end of the determined retention periods, personal data is destroyed in accordance with periodic destruction timelines or upon data subject request, using appropriate methods — deletion, erasure, or anonymization.
Data Subject Rights and Their Exercise
7.1 Rights of Data Subjects
Data subjects have the following rights under the Law:
- To learn whether personal data is being processed
- To request information if personal data has been processed
- To learn the purpose of processing and whether data is used in accordance with that purpose
- To know third parties to whom data has been transferred domestically or abroad
- To request correction of incomplete or inaccurate data
- To request deletion or destruction of personal data when processing conditions no longer exist
- To object to outcomes arising against oneself from automated systems analysis
- To claim compensation for damages arising from unlawful processing
7.2 How to Exercise Rights
Data subjects may submit their requests by filling in the "Data Subject Application Form" and submitting it to the Company using the methods determined by the Board.
7.3 Response to Applications
The Company finalizes duly submitted requests as soon as possible and within a maximum of 30 (thirty) days, free of charge. However, if the transaction requires a separate cost, a fee may be charged in accordance with the tariff determined by the Board.
7.4 Rejection of Applications
The Company may reject a request, stating its grounds, in the following circumstances:
- Personal data processed for official statistics, research, planning, or statistical purposes after anonymization
- Processing for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression
- Processing by authorized public institutions for national defense, national security, or public order
- Processing by judicial authorities for investigation, prosecution, or enforcement proceedings
- Processing necessary for crime prevention or criminal investigation
- Processing of data made public by the data subject themselves
- Processing necessary for the supervisory or disciplinary duties of authorized public bodies
- Processing necessary for the protection of the State's economic and financial interests
- Request likely to hinder the rights and freedoms of other persons
- Requests requiring disproportionate effort
- Requested information being publicly available
7.5 Right to File a Complaint with the Board
Pursuant to Article 14 of the Law, in cases where the application is rejected, the response is found inadequate, or no response is given within the prescribed time, a complaint may be filed with the Board within thirty days of learning the Company's response and in any case within sixty days of the application date.
Enforcement & Entry into Force
This Policy has been approved and put into effect by the Board of Directors. The technical implementation of the Policy is supported by the "Personal Data Retention and Disposal Policy."
The Board of Directors is responsible for the implementation and updating of the Law and Policy. The Personal Data Protection Committee of Ender PVC is responsible for all follow-up, coordination, and supervision of related activities.
This Policy enters into force on its publication date. Any amendments to the Policy are published on the Company's website at www.enderpen.com.tr and take effect on the date of announcement.
Annex 1 — Data Categories and Personal Data
| DATA CATEGORY | PERSONAL DATA |
|---|---|
| Identity | Name, surname, date of birth, place of birth, marital status, ID serial number, TR ID number, passport number, driver's license, gender |
| Contact | Address, email address, registered electronic mail (KEP), phone number |
| Employment | Payroll information, disciplinary investigation records, employment entry/exit records, CV information, performance evaluation reports |
| Legal Transaction | Correspondence with judicial authorities, case file information |
| Customer Transaction | Invoice, promissory note, cheque information, order information, appointment information |
| Physical Security | Entry-exit records for employees and visitors, CCTV footage |
| Transaction Security | IP address information, website login/logout records, password and credential information |
| Risk Management | Information processed for managing commercial, technical, and administrative risks |
| Finance | Balance sheet information, financial performance data, credit and risk information, bank account number, IBAN |
| Professional Experience | Diploma information, courses attended, in-service training records, certificates |
| Visual/Audio Records | CCTV images, audio recordings, photographs |
| Health Information | Disability status, blood type, personal health data, laboratory and imaging results, prescription information |
| Criminal Records | Criminal conviction records, security measure records |
| Family Information | Number of children, family record, spouse employment status, children's education and age |
| Vehicle Information | License plate, make, model, year, engine/chassis number, registration date |
| Military Status | Military service records |
| Signature | Wet or electronic signatures, fingerprints on documents bearing personal data |
Annex 2 — Personal Data Processing Purposes
- Management of Emergency Processes
- Management of Information Security Processes
- Recruitment and Placement of Job Applicants / Interns / Students
- Managing Employee Application Processes
- Fulfillment of Contractual and Legal Obligations for Employees
- Managing Employee Benefits and Fringe Benefits
- Conducting Audit and Ethics Activities
- Conducting Training Activities
- Managing Access Authorizations
- Ensuring Compliance of Activities with Legislation
- Conducting Finance and Accounting Operations
- Ensuring Physical Premises Security
- Managing Assignment Processes
- Following Up and Managing Legal Affairs
- Conducting Internal Audit, Investigation, and Intelligence Activities
- Conducting Communication Activities
- Planning Human Resources Processes
- Conducting and Auditing Business Activities
- Conducting Occupational Health and Safety Activities
- Receiving and Evaluating Suggestions for Process Improvement
- Ensuring Business Continuity
- Conducting Logistics Activities
- Managing Goods and Services Procurement
- Providing After-Sales Support Services
- Managing Sales Processes
- Managing Production and Operations
- Managing Customer Relations
- Conducting Customer Satisfaction Activities
- Organization and Event Management
- Conducting Marketing Analysis
- Conducting Performance Evaluations
- Managing Advertising, Campaigns, and Promotions
- Managing Risk Management Processes
- Conducting Storage and Archiving Activities
- Managing Contract Processes
- Ensuring Security of Movable Assets and Resources
- Managing Supply Chain Processes
- Implementing Wage Policy
- Managing Product and Service Marketing Processes
- Ensuring Security of Data Controller Operations
- Foreign Personnel Work and Residence Permit Procedures
- Managing Investment Processes
- Talent and Career Development Activities
- Providing Information to Authorized Persons, Institutions, and Organizations
- Conducting Management Activities
- Creating and Monitoring Visitor Records
Annex 3 — Data Recipients and Transfer Purposes
| RECIPIENT CATEGORY | DEFINITION | TRANSFER PURPOSE |
|---|---|---|
| Natural/Legal Persons | Real or legal persons with whom the Company conducts business (customers, etc.) | Limited to the specific transaction performed |
| Shareholders | Natural persons holding a partnership interest in the Company | Limited to planning, execution, and supervision of commercial activities |
| Business Partners | Partners engaged for promotion, marketing, sales support, and related activities; partner banks | Limited to the purposes and activities of the partnership |
| Authorized Public Institutions | SGK, Tax Offices, and other public bodies authorized to request information under applicable legislation | Limited to the purpose requested under the legal authority of the relevant institution |
| Legally Authorized Private Persons | Institutions or organizations established under applicable legislation | Limited to matters within their field of activity |
| Board of Directors Members | Members of the Company's Board of Directors | Limited to the execution of Board activities |
| Service Providers / Collaborators | Organizations providing contracted services or collaboration | Limited to the terms of the contract and cooperation protocol |
| Lawyers | Lawyers holding legal authorization under applicable legislation | Limited to matters with legal consequences for Company and employee transactions |
| Suppliers | Parties providing services in line with data processing purposes and requests | Limited to procurement of goods and services to fulfill commercial activities |
| Consultants | Persons whose expertise and experience are utilized | Limited to the scope of expertise and engagement |
| Auditors | Auditors holding audit authority under applicable legislation | Limited to authority and responsibilities defined in legislation |
| Customers | Persons with whom the Company conducts transactions and provides products/services | Limited to personal data shared by employees while providing service to purchasing customers |
Information Security Policy — Scope
This policy applies to all units using the Information Technology infrastructure, users who access information systems as third parties, and service, software, or hardware providers offering technical support to information systems.
Information Security aims to ensure the continuity of Information Systems to protect the company's reputation, reliability, information assets, and to maintain business operations with the least possible interruptions. It focuses on increasing employees' awareness and compliance with security requirements, ensuring third-party compliance, and actively applying up-to-date technical security controls. The company manages this within the perspective of risk management.
Our Information Security Goals
- To document, certify, and continuously improve our Information Security Management System in accordance with the requirements of the ISO 27001 standard.
- To act in alignment with the company's Vision and Mission.
- To reduce the impact of information security risks on business continuity and ensure business continuity.
- To protect and enhance the company's reputation from negative impacts based on information security.
- To ensure the confidentiality, integrity, and availability of all information stored in physical and electronic environments by fully complying with legal requirements, customer requirements, operational and contractual terms.
- To increase users' and employees' awareness of information security, minimize risks, and make them aware of their responsibilities.
- To determine and evaluate the security requirements of the electronic infrastructure provided, keep track of technological developments, improve the system, and ensure service continuity.
- To ensure an acceptable security level for external access to the system.
- To define the information security requirements of third parties, customers, and suppliers, and ensure their compliance with the information security management system.
- To protect the confidentiality of critical data, such as strategic goals, design, production, sales, supply chain, customer, and employee information related to our Products and Services.
- To detect and intervene promptly in cases of non-compliance with information security, managing our activities integrated with other management systems we implement.
Ender PVC Yapi Elemanlari San. ve Tic. A.S.
Privacy and Cookie Policy
Ender PVC Yapi Elemanlari San. ve Tic. A.S. ("Company") operates the www.enderpen.com.tr website and processes the personal data of visitors in accordance with the Turkish Personal Data Protection Law No. 6698 ("Law") while ensuring its confidentiality. This Website Privacy and Cookie Policy ("Policy") establishes the principles for processing personal data, the cookie policy, and website privacy rules for visitors.
Cookies are small text files that store small pieces of information. They are stored on your device or network server by websites you visit through browsers. Cookies ensure the website works properly, enhance security, and provide a better user experience. Session and local storage areas are also used for the same purpose as cookies.
Our website does not use cookies, but session and local storage areas are functional. Unless the visitor changes cookie settings in their browser, it is assumed that they have accepted the use of cookies on this site.
Purpose of Personal Data Processing
Personal data obtained through your visit to our website is processed by our company in accordance with Articles 5 and 6 of the Law for the following purposes:
- To carry out necessary activities for conducting commercial activities by our company and to realize related business processes.
- To carry out necessary activities for providing products and services offered by our company to related individuals and to carry out relevant business processes.
- To customize and promote products and services offered by our company according to the preferences, usage habits, and needs of the individuals.
Parties to Whom Personal Data is Transferred
Personal data obtained through your visit to our website may be transferred to our business partners, suppliers, authorized public institutions, and private individuals, in accordance with the conditions and purposes specified in Articles 8 and 9 of the Law, for the purposes of processing personal data.
Method of Collecting Personal Data
Cookies are small text files stored on the device or network server by the websites visited through browsers. When our website is visited, cookies are applied not only to our website but also to domains like google.com, facebook.com, twitter.com, instagram.com, linkedin.com, and youtube.com with the visitor's consent.
Purpose of Using Cookies
Our website uses first-party and third-party cookies. First-party cookies are mainly necessary for the proper functioning of the website and do not store your personal data. Third-party cookies are used to improve performance, interaction, security, advertising, and ultimately provide better services.
| COOKIE TYPE | DESCRIPTION |
|---|---|
| Session Cookies | Temporary cookies used during your visit. Deleted when the browser is closed. Ensure proper functioning of the website during your visit. |
| Persistent Cookies | Used to enhance website functionality and provide faster service. Remember your preferences and are stored on your device through browsers. |
| Technical Cookies | Ensure the website operates properly and help identify non-working pages and areas. |
| Authentication Cookies | Ensure that logged-in visitors do not need to re-enter their password on every page. |
| Flash Cookies | Used to enable images or audio content on the website. |
| Customization Cookies | Remember preferences such as language across different pages of the website. |
| Analytical Cookies | Track analytical results such as the number of visitors, pages viewed, visit times, and scrolling movements. |
| Statistics | Store information such as the number of visitors, unique visitors, which pages were visited, and the source of the visit. |
| Marketing | Personalize ads shown to you and track the effectiveness of advertising campaigns. |
| Functional | Help with non-essential functions such as embedding videos or sharing website content on social media. |
| Preferences | Remember settings and browsing preferences such as language for a better experience on future visits. |
The main purposes of using cookies on our website are: improving website functionality and performance, personalizing features according to preferences, and ensuring the legal and commercial security of visitors and the company.
Managing Cookie Preferences
Different browsers offer different methods to block and delete cookies used by websites. To block or delete cookies, browser settings should be changed. For more information on how to manage and delete cookies, visit www.allaboutcookies.org. Visitors have the option to personalize their cookie preferences by changing the settings in their browser.
Rights of Data Owners
Requests within the scope of Article 11 of the Law can be made to our company by submitting the application form available at www.enderpen.com.tr. Applications are concluded free of charge as soon as possible and at the latest within thirty days. However, if the process requires an additional cost, a fee may be charged based on the tariff determined by the Personal Data Protection Board.
This Policy is effective as of the date of publication. If the entire Policy or specific provisions are updated, the effective date of the Policy will be revised.
Information Notice Regarding the Processing of Visitors' Personal Data
Ender PVC Yapi Elemanlari San. ve Tic. A.S. ("Company") may process your personal data for the purposes and legal reasons specified below. Your personal data will be stored for the duration specified in the relevant legislation or as required for the purpose for which they were processed.
As the Data Controller, Ender PVC Yapi Elemanlari San. ve Tic. A.S. takes all necessary technical and administrative measures to prevent unlawful processing, unlawful access, and to ensure the safe storage of your data in accordance with Law No. 6698 on the Protection of Personal Data (KVKK) and related legislation.
Purposes of Personal Data Processing
Your personal data may be processed for the following purposes and legal grounds, in accordance with the obligations arising from the law:
- Registration in the visitor log upon entry to our company.
- Ensuring the security of the company, visitors, and employees.
- Camera recordings of visitors to detect incidents such as theft, unauthorized entry, and any other incidents on the company premises.
Your personal data will be stored for 5 years from the date of processing, within the time frame stipulated by the relevant legislation.
Who Your Personal Data May Be Transferred To
Your personal data may be transferred to shareholders, board members, business partners, suppliers, customers, authorized public institutions and organizations, legally authorized private law entities, auditors, consultants, lawyers, or entities with whom the Company collaborates, for the purposes and conditions specified in Articles 8 and 9 of Law No. 6698.
Method and Legal Reason for Collecting Personal Data
Your personal data is collected by the Company through the legal grounds specified above. These data are collected either electronically or on paper, using your name, license plate information, orally, or through CCTV cameras inside our buildings. The personal data collected can be processed and transferred as specified in Articles 5 and 6 of Law No. 6698 and for the purposes outlined above.
Your Rights Regarding the Processing of Personal Data
According to Article 11 of KVKK, you have the right to:
- Learn whether your personal data has been processed.
- Request information if your personal data has been processed.
- Learn the purpose of processing your personal data and whether it has been used in compliance with its purpose.
- Know the third parties to whom your personal data has been transferred, whether domestically or internationally.
- Request the correction of incomplete or inaccurate data.
- Request the deletion or destruction of your personal data under the conditions set out in the law.
- Request that the third parties to whom your personal data has been transferred be informed about the correction, deletion, or destruction operations.
- Object to the automatic processing of your data that may lead to a result against you.
- Request compensation for the damages suffered due to unlawful processing of your personal data.
In accordance with Article 13 of the KVKK, you may submit a request to exercise your rights using written communication or through other methods designated by the Personal Data Protection Board. For detailed information, visit www.enderpen.com.tr and review the "Personal Data Owner Rights and Application Form."