Special Categories of Personal Data Protection Policy

ARTICLE 1- PURPOSE 

Baymineral Maden ve Kimya Sanayi Dış Ticaret Limited Şirketi ("Baymineral") undertakes to comply with the regulations on the protection, processing and destruction of special categories of personal data in accordance with its legal responsibilities. This Special Categories of Personal Data Protection Policy ("Policy") is applied to all of Baymineral's business processes within the framework of the applicable legislation and is based on nationally accepted basic principles regarding personal data destruction. It includes the framework and principles for carrying out the necessary destruction procedures within the scope of the relevant legislation.

Article 7, paragraph 3 of the Law No. 6698 on the Protection of Personal Data ("Law") stipulates that "The procedures and principles regarding the deletion, destruction or anonymization of personal data shall be regulated by regulation". Based on this provision and subparagraph (e) of the first paragraph of Article 22 of the Law, the Personal Data Protection Board ("Board") prepared the Regulation on Deletion, Destruction or Anonymization of Personal Data ("Regulation") and published it in the Official Gazette dated October 28, 2017 and numbered 30224.

Articles 6, 9 and 18 of the Law No. 6698 were amended and a new provisional article was added to the Law No. 6698 by the Law on the Amendment of the Code of Criminal Procedure and Certain Laws, including provisions on the Law on the Protection of Personal Data, published in the Official Gazette dated March 12, 2024 and numbered 32487.

Based on the above regulation, the purpose of this Policy is to determine the procedures and principles regarding the processing, deletion, destruction or anonymization of special categories of personal data collected by Baymineral while conducting its activities in accordance with the Regulation.

ARTICLE 2- SCOPE

This Policy relates to the special categories of personal data processed by Baymineral in whole or in part by automatic means or by non-automatic means provided that they are part of any data recording system, and to the storage and destruction of such data.

Baymineral processes special categories of personal data of company employees, interns and officials and employees of company business partners.

ARTICLE 3- DEFINITIONS

Recipient Group: The category of natural or legal person to whom personal data is transferred by the data controller.

Explicit Consent: Consent on a specific issue, based on information and expressed with free will.

Electronic Media: Media in which personal data can be created, read, modified and written with electronic devices.

Non-Electronic Media: All written, printed, visual, etc. other than electronic media. environments.

Relevant Person: The natural person whose personal data is processed.

Destruction: Deletion, destruction or anonymization of personal data.

Law/KVKK: Law No. 6698 on the Protection of Personal Data.

Recording Medium: Any medium in which personal data processed by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Board: Personal Data Protection Board

Special categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are special categories of personal data.

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

Data Recording System: It is the recording system where personal data is structured and processed according to certain criteria.

Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system) is the data controller.

Deletion of Special Categories of Personal Data: Making personal data of special nature inaccessible and non- reusable in any way for the Relevant Users.

Destruction of Special Categories of Personal Data: The process of making personal data of special nature inaccessible, irretrievable and non-reusable by anyone in any way.

Destruction of Special Categories of Personal Data: Deletion, destruction or anonymization of special categories of personal  data.

Anonymization: Making the data previously associated with a person impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.

ARTICLE 4- RECORDING MEDIUM

Special Categories of Personal Data is securely stored by Baymineral in accordance with the law in the environments listed below.

ARTICLE 5- MATTERS REGARDING THE POLICY ON THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

5.1.  General Principles for Processing Special Category of Personal Data

Baymineral processes and protects the special category of personal data of Users within the scope of the Constitution of the Republic of Turkey and the Law on the Protection of Personal Data.

In this context, Baymineral acts in line with the following principles:

5.1.1. Performing Special Categories of Personal Data Processing Activities in Accordance with Data Processing Conditions

The Company pays special attention to the processing of special categories of personal data that carry the risk of creating discrimination when processed unlawfully. In this context, in the processing of special categories of personal data by the Company, first of all, it is determined whether the data processing conditions exist with sensitivity, and the data processing activity is carried out after making sure that the legal compliance condition exists.

Special Category of personal data may be processed by the Company in the following cases, provided that adequate measures determined by the Personal Data Protection Board are taken:

Health data may be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality or in the presence of the explicit consent of the data subject.

Criminal conviction and security measures data; explicit consent of the data subject or in accordance with the laws

can be committed in prescribed cases.

5.1.2. Taking Adequate Measures in Processing Special Category of Personal Data 

The following measures are taken in the processing of special categories of personal data: For employees involved in the processing of special category of personal data;

• Regularly review the Law and related regulations and special categories of personal data security issues.

as trainings,

• Confidentiality agreements,
• Clearly defining the users authorized to access data, their scope and duration of authorization,
• Performing periodic authorization checks,
• Immediate removal of the authorization of employees who have changed their duties or left their jobs, and the return of any inventory allocated to them in this context,
• If the media where special categories of personal data are processed, stored and/or accessed are electronic media; If the data is stored using cryptographic methods, cryptographic keys are kept in secure and different environments, transaction records of all movements performed on the data are securely logged, security updates of the environments where the data are located are constantly monitored, necessary security tests are regularly performed / performed, test results are recorded, if the data is accessed through a software, user authorization of this software is made, security tests of these software are regularly performed / performed, test results are recorded, if remote access to the data is required, at least two-stage authentication system is provided,
• If the environments where special categories of personal data are processed, stored and/or accessed are physical environments; ensuring that adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where special categories of personal data are located, ensuring the physical security of these environments and preventing unauthorized entry and exit,

5.1.3. Taking Measures in Case of Unlawful Disclosure of Special Category of Personal Data

In the event that Special Categories of Personal Data are unlawfully obtained by unauthorized persons within the scope of the Special Categories of Personal Data processing activity carried out by our Company, the situation will be notified to the Board within 72 (seventy-two) hours at the latest in accordance with the Board's decision dated 24.01.2019 and numbered 2019/10, and the relevant persons affected by the violation will be informed as soon as possible.

5.2. Purposes of Processing Special Category of Personal Data

Within the scope of the activities carried out by the Company, the special categories of personal data of the data subjects are

may be processed for, but not limited to, the following purposes:

• Planning Human Resources Processes,
• Fulfillment of Obligations Arising from Employment Contract and Legislation for Employees,
• Execution of Employee Benefits and Benefits Processes,
• Execution of Emergency Management Processes
• Execution of Activities in Compliance with the Legislation
• Execution/Supervision of Business Activities,
• Execution of Occupational Health / Safety Activities,
• Execution of Audit / Ethics Activities,
• Execution of Internal Audit / Investigation / Intelligence Activities,
• Execution of Business Continuity Ensuring Activities
• Execution of Management Activities
• Giving Information to Authorized Persons, Institutions and Organizations
• Execution of Storage and Archive Activities
• Execution of Audit / Ethics Activities

5.3. Legal Grounds for Processing Special Category of Personal Data

Special categories of personal data may be collected by our Company in accordance with the principles set forth in this Policy. We will take all necessary administrative and technical measures, including the minimum security measures established or to be established by the Personal Data Protection Board, and ensure at least one of the following conditions is met:

• The explicit consent of the Data Subject is obtained, or
• For the Related Person;
  • Special categories of personal data, excluding health data, are processed only in cases stipulated by law.
  • Health-related special categories of personal data are processed without the explicit consent of the Data Subject only for purposes such as protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing, and only by persons or authorized institutions and organizations under the obligation of confidentiality. 

ARTICLE 6- TRANSFER OF PERSONAL DATA

Personal data held by Baymineral are securely stored and not disclosed to third parties outside the legal framework. Baymineral shall not disclose personal data to persons, institutions and/or organizations, business partners, all authorities and channels required for the performance of the User Agreement, public legal entities and authorities authorized to receive personal data such as Courts, Public Prosecutor's Offices, SGK, BDDK, CMB, MASAK, BKM, our domestic / foreign affiliates, independent audit and support service providers due to legal obligations but within the framework of legal limitations.

Under the following conditions, personal data may be transferred to third parties without the explicit consent of the Data Subject:

• Special categories of personal data, excluding those related to health and sexual life, as stipulated by law.
• Special categories of personal data related to health and sexual life can only be transferred by persons or authorized institutions and organizations bound by confidentiality obligations for purposes such as protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing.

The nature of these transfers and the parties with whom the data is shared vary depending on the type and nature of the relationship between the data owner and the Company, the purpose of the transfer, and the relevant legal basis. In this context, the measures, implementation principles, and procedures taken by the Company within its policies are applicable.

In this direction;

• If data needs to be transferred via e-mail, encrypted corporate e-mail address or Transfer using a Registered Electronic Mail (KEP) account,
• If it needs to be transferred via media such as Portable Memory, CD, DVD, encryption with cryptographic methods and keeping the cryptographic key on different media,
• If transfer is performed between servers in different physical environments, data transfer between servers can be performed by setting up a VPN or using the sFTP method,
• If it is necessary to transfer data via paper media, it is ensured that necessary precautions are taken against risks such as theft, loss or unauthorized viewing of the document and that the document is sent in the "confidential documents" format.

ARTICLE 7 - STORAGE AND DESTRUCTION OF PERSONAL DATA OF SPECIAL NATURE

Special Category of personal data shall be deleted, destroyed or anonymized by the Company ex officio or upon the request of the data subject, in the event that the reasons requiring its processing disappear.

According to this;

• Amendment or abolition of the provisions of the relevant legislation that constitute the basis for processing special category of personal data,
• In cases where the processing of special category of personal data takes place only based on explicit consent, the relevant withdrawal of consent,
• Acceptance by the data controller of the application made by the data subject regarding the personal data processing activity within the framework of the rights in subparagraphs (e) and (f) of paragraph 1 of Article 11 of the Law,
• In cases where the data controller rejects the application made by the person concerned with the request for the deletion or destruction of his personal data, the answer given by the data controller is insufficient or does not respond within the period stipulated in the Law; A complaint is made to the Board and this request is approved by the Board,
• Although the maximum period for retaining personal data has elapsed, there are no circumstances that justify retaining personal data for a longer period,
• The conditions requiring the processing of special categories of personal data under Article 6 of the Law have disappeared

in such cases, special category of personal data will be destroyed.

In the event that the above-mentioned situations do not occur, Baymineral keeps the health data in the employee's personnel file for the duration of the employee's employment and for 15 years from the end of this period, within the scope of OHS legislation. Criminal conviction and security measures data are kept in the personnel file for the duration of employment and for 10 years after the end of this period.

ARTICLE 8- DISCLOSURE OBLIGATION

According to the Constitution of the Republic of Turkey, everyone has the right to be informed about personal data concerning him/her. Accordingly, Article 11 of the Law on the Protection of Personal Data lists "requesting information" among the rights of the personal data subject.

In this context, Baymineral provides the necessary information in case the personal data owner requests information in accordance with the Constitution and KVKK.

In accordance with Article 10 of the LPPD, Baymineral also informs personal data subjects about the purpose for which personal data will be processed during the acquisition of personal data, to whom and for what purpose the processed personal data may be transferred, the method and legal reason for collecting personal data, and the rights of the personal data subject under Article 11 of the LPPD.

In addition, Baymineral ensures informing and transparency in personal data processing activities by announcing to personal data owners and those concerned that it carries out personal data processing activities in accordance with all matters in the KVKK and the "law and honesty rule" through various public documents, especially this Policy.

ARTICLE 9- RIGHTS OF THE DATA SUBJECT PURSUANT TO ARTICLE 11 OF THE KVKK NUMBERED 6698

Pursuant to Article 11 of the KVKK No. 6698, the owners of special categories of personal data

• To learn whether their special categories of personal data are being processed,
• To request information if personal data of special nature has been processed,
• To learn the purpose of processing special categories of personal data and whether they are used for their intended purpose,
• To know the third parties to whom special category of personal data are transferred domestically or abroad,
• To request correction of personal data of special nature in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
• Although it has been processed in accordance with the provisions of KVKK and other relevant laws, to request the deletion or destruction of special category of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom special category of personal data is transferred,
• To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
• In case of damage due to processing in violation of KVKK, it has the right to demand the compensation of the damage.