Institutional > Personal Data Owner Application Form

**DIVAPAN ENTEGRE AĞAÇ PANEL SANAYİ VE TİCARET A.Ş.**

**PERSONAL DATA PROTECTION AND PROCESSING POLICY**

---

**1. INTRODUCTION**

Divapan Entegre Ağaç Panel Sanayi ve Ticaret A.Ş. (“DIVAPAN”) places great importance on the protection of personal data in its operations and considers it a priority in its business processes. The DIVAPAN Personal Data Protection and Processing Policy (“Policy”) is the fundamental regulation aimed at ensuring compliance with the personal data processing principles and procedures outlined in the Personal Data Protection Law No. 6698 (“Law”) within DIVAPAN’s organization and business processes. DIVAPAN processes and protects personal data with a high sense of responsibility and awareness in accordance with the principles of this Policy, while ensuring transparency by informing data subjects.

**1.1. Purpose**

The purpose of this Policy is to ensure that the principles and procedures stipulated by the Law and other relevant legislation are effectively implemented within DIVAPAN’s organization and processes. DIVAPAN adopts all necessary administrative and technical measures to process and protect personal data, establishes internal procedures, raises awareness, and provides all required training to ensure compliance. Measures are taken to ensure that shareholders, authorized persons, employees, and business partners comply with the Law, and appropriate and effective audit mechanisms are established.

**1.2. Scope**

This Policy encompasses all personal data obtained by DIVAPAN in its business processes, whether through automated means or non-automated means as part of any data recording system.

**1.3. Basis**

The Policy is grounded in the Law and related legislation. Personal data is processed to fulfill legal obligations arising from various regulations, including Decree Law No. 635, Industrial Registry Law No. 6948 and its regulations, Law No. 4703 on the Preparation and Implementation of Technical Legislation for Products, Law No. 132 on the Establishment of the Turkish Standards Institute (TSE), Law No. 4562 on Organized Industrial Zones (OSB), Personal Data Protection Law No. 6698, Consumer Protection Law No. 6502, Identity Notification Law No. 1774, Labor Law No. 4857, Occupational Health and Safety Law No. 6331, Social Insurance and General Health Insurance Law No. 5510, Unemployment Insurance Law No. 4447, Turkish Commercial Code No. 6102, Tax Procedure Law No. 213, Law No. 5651 on the Regulation of Publications on the Internet, and other relevant legislation.

In case of any discrepancy between applicable legislation and this Policy, the legislation in force shall prevail. Regulations stipulated by the relevant legislation are incorporated into DIVAPAN’s practices through this Policy.

**1.4. Definitions**

- **Explicit Consent**: Consent given freely, based on being informed, and specific to a particular matter.
- **Application Form**: A form prepared in accordance with the Law and the Communiqué on the Procedures and Principles for Application to the Data Controller, used by the data subject to exercise their rights.
- **Authorized User**: Individuals or units processing personal data within the data controller’s organization or under its authority, excluding those responsible for the technical storage, protection, or backup of data.
- **Destruction**: Deletion, destruction, or anonymization of personal data.
- **Recording Medium**: Any medium containing personal data processed wholly or partially by automated or non-automated means as part of a data recording system.
- **Personal Data**: Any information relating to an identified or identifiable natural person.
- **Processing of Personal Data**: Any operation performed on personal data, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use, whether by automated or non-automated means as part of a data recording system.
- **Anonymization of Personal Data**: Rendering personal data incapable of being associated with an identified or identifiable natural person, even when combined with other data.
- **Data Subject**: A natural person whose personal data is processed by or on behalf of DIVAPAN.
- **Deletion of Personal Data**: Rendering personal data inaccessible and unusable for authorized users.
- **Destruction of Personal Data**: Rendering personal data inaccessible, irretrievable, and unusable by anyone.
- **Board**: Personal Data Protection Board.
- **Authority**: Personal Data Protection Authority.
- **Special Categories of Personal Data**: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, security measures, and biometric or genetic data.
- **Periodic Destruction**: The process of deletion, destruction, or anonymization of personal data at recurring intervals as specified in the personal data storage and destruction policy when all conditions for processing personal data under the Law no longer apply.
- **Data Processor**: A natural or legal person processing personal data on behalf of the data controller based on the authority granted.
- **Data Recording System**: A system where personal data is structured and processed according to specific criteria.
- **Data Controller**: The natural or legal person determining the purposes and means of processing personal data and responsible for establishing and managing the data recording system.
- **Data Representative**: A natural person appointed by the data controller to fulfill duties under the Law.
- **Regulation**: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.

---

**2. PERSONAL DATA PROTECTION MATTERS**

**2.1. Ensuring the Security of Personal Data**

DIVAPAN takes the necessary measures outlined in Article 12 of the Law to prevent unauthorized disclosure, access, transfer, or other security issues related to personal data, depending on the nature of the data. DIVAPAN implements measures and conducts audits in accordance with guidelines issued by the Personal Data Protection Authority to ensure the required level of personal data security.

**2.2. Protection of Special Categories of Personal Data**

DIVAPAN meticulously applies measures and conducts necessary audits to protect special categories of personal data, including race, ethnic origin, political opinions, philosophical beliefs, religion, sect, appearance, membership in associations, foundations, or unions, health, sexual life, criminal convictions, security measures, and biometric or genetic data.

**2.3. Developing Awareness of Personal Data Protection and Processing**

DIVAPAN provides necessary training to relevant individuals to enhance awareness of lawful processing, access, retention, and rights related to personal data. To increase employees’ awareness of personal data protection, DIVAPAN establishes required processes and seeks consultancy support when needed. Deficiencies in practice and training outcomes are evaluated by DIVAPAN’s management. New training sessions are organized as needed based on these evaluations and changes in relevant legislation.

---

**3. PROCESSING OF PERSONAL DATA**

**3.1. Processing Personal Data in Compliance with Legislation**

Personal data is processed in accordance with the following principles:

i. **Compliance with Law and Integrity**: Personal data is processed in compliance with the law and integrity, within the scope required by business processes, without harming individuals’ fundamental rights and freedoms.
ii. **Ensuring Accuracy and Up-to-Date Data**: Measures are taken to ensure that processed personal data is accurate and up-to-date, with planned and systematic efforts.
iii. **Processing for Specific, Explicit, and Legitimate Purposes**: Personal data is processed for legitimate purposes determined and disclosed in business processes.
iv. **Relevance, Limitation, and Proportionality**: Personal data is collected and processed to the extent necessary for business processes, limited to the defined purposes.
v. **Retention for the Required Period**: Personal data is retained for the minimum period required by relevant legislation or the purpose of processing. If a retention period is specified in legislation, that period is adhered to; otherwise, data is retained only for the duration necessary for the processing purpose. At the end of retention periods, personal data is destroyed (deleted, destroyed, or anonymized) in accordance with periodic destruction schedules or upon the data subject’s request.

**3.2. Conditions for Processing Personal Data**

Personal data is processed based on the data subject’s explicit consent or one or more of the following conditions:

i. **Explicit Consent of the Data Subject**: Personal data is processed with the data subject’s explicit consent, given freely after being informed about a specific matter.
ii. **Absence of Explicit Consent**: Personal data may be processed without the data subject’s explicit consent under the following conditions:
a. **Explicitly Provided by Law**: If personal data processing is explicitly stipulated in laws.
b. **Impossibility of Obtaining Consent Due to Actual Impossibility**: If processing is necessary to protect the life or physical integrity of the data subject or another person when the data subject cannot give consent due to actual impossibility or their consent is not legally valid.
c. **Directly Related to the Conclusion or Performance of a Contract**: If processing is necessary for the conclusion or performance of a contract to which the data subject is a party.
d. **Fulfillment of Legal Obligations**: If processing is mandatory for DIVAPAN to fulfill its legal obligations.
e. **Publicized by the Data Subject**: If the data subject has made their personal data public, it may be processed for the purpose of publicization.
f. **Mandatory for the Establishment or Protection of a Right**: If processing is necessary for the establishment, exercise, or protection of a right.
g. **Mandatory for Legitimate Interests**: If processing is necessary for DIVAPAN’s legitimate interests, provided it does not harm the data subject’s fundamental rights and freedoms.

**3.3. Processing of Special Categories of Personal Data**

DIVAPAN processes special categories of personal data in compliance with the principles set out in the Law and this Policy, taking all necessary administrative and technical measures as determined by the Board, under the following conditions:

a. Explicit consent of the data subject,
b. Explicitly provided by law,
c. Necessary to protect the life or physical integrity of the data subject or another person when the data subject cannot give consent due to actual impossibility or their consent is not legally valid,
d. Related to personal data publicized by the data subject and in line with their intent to publicize,
e. Necessary for the establishment, exercise, or protection of a right,
f. Necessary for public health, preventive medicine, medical diagnosis, treatment, care services, or the planning, management, and financing of health services by persons or authorized institutions under confidentiality obligations,
g. Necessary to fulfill legal obligations in employment, occupational health and safety, social security, social services, or social assistance,
h. Necessary for foundations, associations, or other non-profit organizations established for political, philosophical, religious, or trade union purposes, provided it is in line with their legislation and purposes, limited to their field of activity, and not disclosed to third parties, targeting their current or former members, affiliates, or persons regularly in contact with them.

**3.4. Informing Data Subjects**

DIVAPAN informs data subjects about the purposes of processing their personal data, with whom and for what purposes the data is shared, the methods of collection, the legal basis, and the rights they have regarding the processing of their personal data, in accordance with relevant legislation. Personal data protection is carried out based on other policy documents and disclosure texts prepared in line with the principles of this Policy.

**3.5. Transfer of Personal Data**

DIVAPAN may transfer personal data and special categories of personal data to third parties in accordance with the law, taking necessary security measures, for the purposes of processing. DIVAPAN conducts transfer operations in compliance with Article 8 of the Law.

i. **Transfer of Personal Data**

While explicit consent of the data subject is generally required for the transfer of personal data, transfers may occur under one or more of the following conditions, with all necessary security measures, including methods prescribed by the Board:

a. Explicitly provided by law,
b. Necessary for the conclusion or performance of a contract,
c. Mandatory for DIVAPAN to fulfill its legal obligations,
d. Limited to the purpose of publicization if the data subject has publicized their personal data,
e. Necessary for the establishment, exercise, or protection of the rights of DIVAPAN, the data subject, or third parties,
f. Necessary for DIVAPAN’s legitimate interests, provided it does not harm the data subject’s fundamental rights and freedoms,
g. Necessary to protect the life or physical integrity of the data subject or another person when the data subject cannot give consent due to actual impossibility or their consent is not legally valid.

Personal data may be transferred to foreign countries declared by the Board as having adequate protection (“Countries with Adequate Protection”) under the above conditions. For countries without adequate protection, transfers may occur to data controllers in Turkey or abroad who provide written commitments for adequate protection and obtain the Board’s approval (“Countries with Data Controllers Committing to Adequate Protection”), subject to the conditions in the legislation. In the absence of an adequacy decision, appropriate safeguards as stipulated in Article 10 of the Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad must be established between the parties to the data transfer. These safeguards include:

a. Binding corporate rules,
b. Standard contractual clauses,
c. Written undertakings.

ii. **Transfer of Special Categories of Personal Data**

Special categories of personal data may be transferred in compliance with the principles of this Policy, with all necessary administrative and technical measures, including methods prescribed by the Board, under the following conditions:

Special categories of personal data may be transferred to Countries with Adequate Protection under the above conditions. For Countries with Data Controllers Committing to Adequate Protection, transfers may occur subject to the conditions in the legislation. In the absence of an adequacy decision, appropriate safeguards as stipulated in Article 10 of the Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad must be established between the parties to the data transfer. These safeguards include:

a. Binding corporate rules,
b. Standard contractual clauses,
c. Written undertakings.

---

**4. PERSONAL DATA INVENTORY PARAMETERS**

DIVAPAN processes personal data belonging to data subjects such as job applicants, employees, shareholders/partners, potential product or service buyers, interns, supplier employees, supplier representatives, product or service recipients, parents/guardians/representatives, family members or relatives, and visitors in its Management, Administrative Affairs, Human Resources, Procurement, IT, Accounting, Finance, Sales-Marketing, Production, Quality Control, Warehouse, and Maintenance processes. Data categories and personal data (Annex-1) are processed based on the purposes of processing (Annex-2). Details of processing purposes and data subject groups by data category are reported at DIVAPAN’s VERBIS address (verbis.kvkk.gov.tr).

Personal data processing purposes are determined to comply with the principles in Article 4 of the Law, based on at least one of the processing conditions in Articles 5 and 6, limited to the purposes of informing data subjects under Article 10 and other legislation.

Personal data may be shared with real persons or private legal entities, shareholders, affiliates and subsidiaries, suppliers, group companies, customers, authorized public institutions, and contracted service providers or collaborators for the purposes specified (Annex-3) in accordance with Section 3.5 of this Policy. No personal data is transferred to foreign countries.

---

**5. MEASURES TAKEN FOR PERSONAL DATA PROTECTION**

DIVAPAN takes necessary technical and administrative measures to protect personal data processed in accordance with the Law, conducts audits, and carries out awareness and training activities. In the event that personal data is unlawfully obtained by third parties despite all measures, DIVAPAN notifies the relevant persons and units as soon as possible.

---

**6. STORAGE AND DESTRUCTION OF PERSONAL DATA**

DIVAPAN retains personal data for the period necessary for the purpose of processing or the minimum period stipulated by relevant legislation. If a retention period is specified in legislation, DIVAPAN complies with it; otherwise, data is retained only for the duration necessary for the processing purpose. At the end of retention periods, personal data is destroyed (deleted, destroyed, or anonymized) in accordance with periodic destruction schedules or upon the data subject’s request, using appropriate methods.

---

**7. RIGHTS OF DATA SUBJECTS AND EXERCISE OF THESE RIGHTS**

**7.1. Rights of Data Subjects**

Data subjects have the following rights under the Law:

i. To learn whether their personal data is processed,
ii. To request information about processed personal data,
iii. To learn the purpose of processing and whether the data is used in accordance with that purpose,
iv. To know the third parties to whom personal data is transferred domestically or abroad,
v. To request correction of incomplete or inaccurate personal data and notification of such corrections to third parties to whom the data was transferred,
vi. To request deletion or destruction of personal data if the reasons for processing no longer exist, despite being processed in accordance with the Law, and notification of such actions to third parties to whom the data was transferred,
vii. To object to any result against them arising from the analysis of processed data exclusively through automated systems,
viii. To demand compensation for damages caused by unlawful processing of personal data.

**7.2. Exercise of Data Subject Rights**

Data subjects may submit requests regarding the rights listed in Section 7.1 to DIVAPAN using the methods determined by the Board. Data subjects or their authorized representatives can apply by filling out the “Data Subject Application Form” (Annex-4).

**7.3. Responding to Applications**

DIVAPAN processes applications from data subjects in accordance with the Law and other legislation. Requests submitted in accordance with the procedure are finalized free of charge as soon as possible and within 30 days at the latest. If the process incurs additional costs, a fee may be charged as per the tariff set by the Board.

**7.4. Rejection of Data Subject Applications**

DIVAPAN may reject a data subject’s request with justification in the following cases:

i. Processing personal data anonymously for research, planning, or statistics,
ii. Processing personal data for art, history, literature, or scientific purposes, or within the scope of freedom of expression, provided it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights, or constitute a crime,
iii. Processing personal data by public institutions authorized by law for national defense, national security, public safety, public order, or economic security for preventive, protective, or intelligence activities,
iv. Processing personal data by judicial or enforcement authorities for investigation, prosecution, trial, or enforcement proceedings,
v. Processing personal data to prevent crime or for criminal investigations,
vi. Processing personal data publicized by the data subject,
vii. Processing personal data for supervisory or regulatory duties, or disciplinary investigations or prosecutions by authorized public institutions or professional organizations,
viii. Processing personal data to protect the state’s economic and financial interests in budget, tax, or financial matters,
ix. If the request may hinder the rights and freedoms of others,
x. If the request requires disproportionate effort,
xi. If the requested information is publicly available.

**7.5. Data Subject’s Right to Complain to the Board**

Under Article 14 of the Law, if an application is rejected, the response is deemed insufficient, or no response is provided within the specified period, the data subject may file a complaint with the Board within 30 days of learning of DIVAPAN’s response or within 60 days from the application date, in any case.

**7.6. Information Requested from the Applicant**

DIVAPAN may request information from the applicant to verify whether they are the data subject. DIVAPAN may also ask questions to the data subject to clarify matters in their application.

---

**8. EXECUTION**

This Policy has been approved by the Board of Directors and entered into force. The technical execution of the Policy is ensured through the “Personal Data Storage and Destruction Policy” (Annex-5).

The Policy is implemented in business processes and with stakeholders through the “Customer Disclosure Text,” “Corporate Confidentiality Agreement,” “Employee Disclosure Text,” “Job Applicant Disclosure Text,” “Cookie Disclosure Text,” “Camera Surveillance Disclosure Text,” and “Carrier Disclosure Text.”

The Board of Directors is responsible for the execution and, if necessary, updating of the Law and this Policy. The DIVAPAN Personal Data Protection Committee is responsible for the follow-up, coordination, and supervision of all related processes and actions.

---

**9. ENTRY INTO FORCE AND ANNOUNCEMENT**

The Policy entered into force upon its publication. Any changes to the Policy will be published on DIVAPAN’s website (www.divapan.com.tr) and made accessible to data subjects and stakeholders. Policy changes take effect on the date of publication.

---

**ANNEXES**

- **Annex-1**: Data Categories and Personal Data
- **Annex-2**: Personal Data Processing Purposes
- **Annex-3**: Recipients and Purposes of Personal Data Transfers
- **Annex-4**: Data Subject Application Form
- **Annex-5**: Personal Data Storage and Destruction Policy

---

**ANNEX-1: DATA CATEGORIES AND PERSONAL DATA**

**Data Categories** | **Personal Data**

**Identity** | Name, Surname, Mother’s/Father’s Name, Date of Birth, Place of Birth, Marital Status, Turkish ID Number, Passport Number, Gender, Turkish ID Card, Driver’s License, Nationality

**Contact** | Address, Email Address, Contact Address, Registered Electronic Mail (KEP) Address, Telephone Number

**Location** | Location data, etc.

**Personnel Records** | Payroll Information, Disciplinary Investigation Records, Entry/Exit Records, Resume Information, Military Service Status

**Legal Transactions** | Information in correspondence with judicial authorities, information in case files, etc.

**Customer Transactions** | Call Center Records, Invoices, Promissory Notes, Checks, Order Information, Appointment Information, Request Information

**Physical Space Security** | Employee Entry/Exit Records, Visitor Entry/Exit Logs, Camera Surveillance Footage

**Transaction Security** | IP Address Information, Website Entry/Exit Logs, Passwords

**Risk Management** | Data processed for managing commercial, technical, or administrative risks

**Financial Data** | Balance Sheet Information, Financial Performance Data, Credit and Risk Information, Bank Account Number, IBAN Number

**Professional Experience** | Diploma Information, Attended Courses, In-House Training, Certificates, Transcripts, Information About Last Employer, References

**Marketing** | Purchase History, Surveys, Cookie Data, Information Obtained from Campaigns

**Visual and Audio Recordings** | Camera Footage, Photographs

**SPECIAL CATEGORIES OF PERSONAL DATA**

**Health Data** | Disability Status, Blood Type, Personal Health Data, Devices or Prosthetics Used, Laboratory and Imaging Results, Test Results, Examination Data

**Criminal Convictions and Security Measures** | Information Related to Criminal Convictions

**OTHER PERSONAL DATA**

**Family Information** | Number of Children, Family Register Extract, Spouse’s Employment Details, Children’s Education and Age Information, Birth and Death Data

**Employment Data** | Branch/Department, Employment Type, Profession, Professional Card Information

**Signature Information** | Wet or digital signatures, fingerprints, or special marks on documents containing personal data

**Website Usage Data** | Application Form Completion Date, Website Login Frequency/Times, Last Login Date, IP Address, Browser Information

**Request/Complaint Management** | Survey Data, Personal Data related to the receipt and evaluation of requests or complaints directed to DIVAPAN

**Reputation Management** | Information collected to protect DIVAPAN’s commercial reputation, evaluation reports, and actions taken

**Incident Management** | Personal Data processed to take legal, technical, and administrative measures to protect DIVAPAN’s and customers’ interests in response to incidents

**Insurance Data** | Automatic Enrollment in Private Pension Plans, Social Security Institution Data

**Vehicle Information** | License Plate, Brand, Model, Year, Engine and Chassis Number, Registration Date, License Copy, No-Claims Data

**Compliance Data** | Personal Data processed for compliance purposes

**Audit and Inspection Data** | Personal Data processed during internal or external audits

---

**ANNEX-2: CATEGORICAL PERSONAL DATA PROCESSING PURPOSES**

- Emergency Management
- Information Security Management
- Recruitment and Placement of Employees, Interns, and Students
- Management of Job Applications
- Fulfillment of Employment Contracts and Legal Obligations
- Management of Employee Benefits
- Conducting Audits and Ethical Activities
- Training Activities
- Management of Access Rights
- Ensuring Compliance with Legislation
- Financial and Accounting Operations
- Customer Loyalty Programs
- Ensuring Physical Security
- Task Assignment Processes
- Legal Proceedings and Follow-Up
- Internal Audits, Investigations, and Intelligence Activities
- Communication Activities
- Human Resources Planning
- Execution and Audit of Business Activities
- Occupational Health and Safety Activities
- Collecting and Evaluating Suggestions for Process Improvement
- Ensuring Business Continuity
- Logistics Operations
- Procurement of Goods/Services
- After-Sales Support Services
- Sales of Goods/Services
- Production and Operational Processes
- Customer Relationship Management
- Customer Satisfaction Activities
- Event and Organization Management
- Marketing Analysis
- Performance Evaluation
- Advertising, Campaigns, and Promotions
- Risk Management
- Storage and Archiving
- Contract Management
- Strategic Planning
- Request and Complaint Tracking
- Security of Movable Assets
- Supply Chain Management
- Salary Policy Implementation
- Marketing of Products/Services
- Ensuring Security of Data Controller Operations
- Investment Processes
- Talent and Career Development
- Providing Information to Authorized Persons and Institutions
- Management Activities
- Creation and Tracking of Visitor Records

---

**ANNEX-3: RECIPIENTS OF PERSONAL DATA AND TRANSFER PURPOSES**

DIVAPAN may transfer personal data to the following categories of recipients in accordance with Articles 8 and 9 of the Law:

**Recipient Category** | **Definition** | **Purpose and Scope of Data Transfer**

**Real Persons or Private Legal Entities** | Individuals or entities with whom DIVAPAN conducts business or transactions | Limited to the scope of the business or transaction

**Shareholders** | Real persons with a partnership relationship with DIVAPAN | Limited to the planning, execution, and supervision of DIVAPAN’s commercial activities

**Affiliates and Subsidiaries** | DIVAPAN’s affiliates and subsidiaries | Limited to the execution and supervision of activities required by the affiliate or subsidiary status

**Group Companies** | Companies within the same group as DIVAPAN | Limited to managing relationships with companies in the same group

**Authorized Public Institutions** | Institutions such as the Social Security Institution and Tax Offices, authorized to receive information and documents from DIVAPAN under applicable legislation | Limited to the purpose requested by the public institution under its legal authority

**Contracted Service Providers** | Entities providing contracted services or collaborating with DIVAPAN | Limited to the terms of contracts and collaboration protocols

**Suppliers** | Parties providing goods or services to DIVAPAN per its data processing purposes | Limited to the procurement of goods and services for DIVAPAN’s commercial activities

**Customers** | Institutions or organizations receiving services from DIVAPAN | Limited to customer relationship management and contract terms

---

**DIVAPAN ENTEGRE AĞAÇ PANEL SANAYİ VE TİCARET A.Ş.**