Blanco Yatçılık Danışmanlık Hizmetleri ve İnşaat San. Tic. Ltd. Şti.
Personal Data Protection and Processing Policy
I. Purpose, Scope and Definitions
I.1 Purpose of the Policy
Within the scope of the Law No. 6698 on the Protection of Personal Data (“Law”), Blanco Yatçılık Danışmanlık Hizmetleri ve İnşaat San. Tic. Ltd. Şti. (“Company”) prioritizes the lawful processing and protection of personal data.
In all of our planning and business activities, we act in accordance with this principle. Pursuant to Article 10 of the Law, this Personal Data Protection and Processing Policy has been prepared to inform you about:
- The principles governing the processing of personal data
- The administrative and technical measures implemented for data protection
- Our compliance with the Law
I.2 Scope
This Policy determines the conditions under which personal data is processed and sets forth the principles adopted by the Company in processing personal data.
Accordingly, this Policy covers:
- All personal data processing activities carried out by the Company within the scope of the Law
- All categories of personal data processed
- All data subjects whose personal data is processed
I.3 Definitions
For the purposes of this Policy:
Explicit Consent
Consent that is specific to a particular subject, informed, and freely given.
Public Disclosure
Personal data made publicly available by the data subject. Such data may be processed without additional consent, provided general principles under the Law are respected.
Anonymization
Rendering personal data impossible to associate with an identified or identifiable natural person, even when matched with other data.
Data Subject
The natural person whose personal data is processed.
Personal Data
Any information relating to an identified or identifiable natural person.
Data Recording System
A structured system in which personal data is processed according to specific criteria.
Customer
Natural persons benefiting from Ultramar’s products and services.
Prospective Customer
Natural persons who show interest in Ultramar’s products and services.
Special Categories of Personal Data
Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association membership, health, sexual life, criminal convictions, biometric and genetic data.
Deletion
Rendering personal data inaccessible and unusable for relevant users.
Data Controller
The entity determining the purposes and means of processing personal data and responsible for managing the data recording system.
Data Processor
A natural or legal person processing personal data on behalf of the Data Controller.
Employee Candidate
A natural person who has applied for a position at the Company.
Visitor
A natural person visiting Company premises or website.
Third Party
Persons other than those listed above.
II. Categories of Personal Data
Personal data processed by the Company includes, but is not limited to:
- Identity Information (ID card, passport, driver’s license, etc.)
- Contact Information (email, phone number, address)
- Location Data
- Customer Information
- Customer Transaction Information
- Physical Security Information (camera records, access logs)
- Transaction Security Information
- Financial Information
- Employee Candidate Information
- Legal Compliance Information
- Audit Information
- Special Categories of Personal Data
- Marketing Information
- Request and Complaint Management Information
- Reputation Management Information
- Incident Management Information
All data is processed in accordance with the Law and relevant legislation.
III. Purposes of Processing Personal Data
Personal data may be processed for the following purposes:
- Conducting operational activities to deliver our products and services effectively
- Recommending products and services tailored to customer preferences
- Managing customer relationships
- Planning and executing commercial strategies
- Fulfilling contractual and legal obligations
- Conducting marketing and promotional activities
- Measuring customer satisfaction
- Managing human resources processes
- Ensuring legal and commercial security
Processing is carried out within the framework of Articles 5 and 6 of Law No. 6698.
Processing for Employee Candidates
Personal data of employee candidates is processed for purposes including:
- Evaluating suitability for open positions
- Verifying references and qualifications
- Communicating regarding recruitment processes
- Complying with legal obligations
Processing for Employees
Employee data is processed for:
- HR planning and management
- Fulfillment of employment contract obligations
- Performance evaluations
- Career development and training
- Compensation and benefits management
- Internal assignments and termination processes
Processing for Customers
Customer data is processed to:
- Fulfill contractual obligations
- Provide customer services
- Conduct marketing and event organization
- Manage legal disputes
- Protect Company rights
- Conduct business development and market analysis
Processing for Suppliers
Supplier data is processed to:
- Establish and perform contracts
- Monitor compliance with contractual obligations
- Manage financial and invoicing processes
- Protect Company rights
Processing for Visitors
Visitor data is processed to:
- Ensure physical security
- Resolve potential legal disputes
- Comply with legal obligations
Processing for Website Visitors
Personal data of website visitors may be processed to:
- Respond to inquiries and requests
- Ensure website security
- Improve service quality
- Conduct statistical evaluations
IV. Transfer of Personal Data
Personal data may be transferred domestically or internationally to:
- Business partners
- Suppliers and service providers
- Authorized public institutions
Such transfers are conducted in accordance with Articles 8 and 9 of the Law.
V. Retention, Deletion and Anonymization
Personal data is retained for the duration required by applicable legislation or for as long as necessary for the purposes for which it is processed.
Upon expiration of retention periods or elimination of processing purposes, personal data will be:
- Deleted
- Destroyed
- Anonymized
in accordance with Article 7 of the Law and relevant regulations.
VI. Principles Governing Processing
The Company processes personal data in compliance with the following principles:
- Lawfulness and fairness
- Accuracy and up-to-date maintenance
- Processing for specified, explicit and legitimate purposes
- Relevance, limitation and proportionality
- Retention for no longer than necessary
VII. Legal Grounds for Processing
Personal data may be processed where at least one of the following conditions applies:
- Explicit consent of the data subject
- Explicit provision in laws
- Protection of life or physical integrity
- Necessity for contract performance
- Compliance with legal obligations
- Data made public by the data subject
- Establishment or protection of a right
- Legitimate interest of the Company
VIII. Special Categories of Personal Data
Special categories of personal data are processed in strict compliance with Article 6 of the Law and subject to enhanced security measures.
IX. Rights of the Data Subject
Data subjects have the right to:
- Learn whether personal data is processed
- Request information regarding processing
- Learn the purpose of processing
- Know third parties to whom data is transferred
- Request correction or deletion
- Object to automated decision-making
- Request compensation for damages
X. Confidentiality
All personal data is confidential. Necessary technical and administrative measures are implemented to prevent unauthorized access, disclosure, alteration, or misuse.
XI. Data Protection Measures
In accordance with Article 12 of the Law, the Company implements regular audits, security controls, and compliance measures to ensure personal data protection.
XII. Personal Data Breach Management
In case of unlawful acquisition of personal data, the Company will notify the relevant data subjects and the Personal Data Protection Board without delay.
XIII. Amendments
The Company reserves the right to amend this Policy in line with legal requirements and corporate policies. Updated versions will be published on the Company’s website.
