1.1. General

Ensuring the privacy and security of personal data in compliance with the relevant legal regulations are among the utmost priorities of VISCOL PETROKİMYA SANAYİ VE TİCARET A.Ş. (Further – Company)

In this context, this Privacy and Personal Data Protection and Processing Policy regarding  processing and protection of personal data (‘Policy’) together with other written policies within the Company targets legal processing, storing and protecting the personal data of our employees, customers, employee candidates, visitors, guests and other third parties (“Related Persons”),  whose personal data is processed. Our Company ensures compatibility of its Policy with Turkish Personal Data Protection Law No. 6698 (‘Data Protection Law’).

While preparing this policy, our Company considered the provisions of the Constitution of the Republic of Turkey, the regulations in ‘Data Protection Law’, the relevant legal norms regarding privacy,  protection and processing of personal data, as well as the decisions taken by the Personal Data Protection Board/Committee as main guidance.

The explanations and instructions regarding the following basic principles adopted by our company are as follows:

  • Processing personal data in accordance with the law and honesty rules,
  • Keeping personal data accurate and up-to-date when necessary,
  • Processing personal data for specific, explicit and legitimate purposes,
  • The personal data are linked, limited and measured for the purpose for which they are processed,
  • Keeping personal data for as long as required by the relevant legislation or for the purpose for which they are processed,
  • Keeping the relevant persons informed,
  • Establishing the necessary processes for the relevant persons to exercise their rights,
  • Taking necessary measures in the processing and preservation of personal data,
  • Due to the requirements of the processing purpose, transferring personal data to third parties,
  • Showing the necessary sensitivity in the processing and protection of personal data of private nature,
  • Deletion, destruction or anonymization of personal data whose purpose of processing is lost.

1.2. Purpose and Scope of the Policy

The main purpose of the Policy is to ensure full compliance with the Personal Data Protection Law (in Turkish – KVKK) in processing activities to be carried out by the Company.

In addition, the prepared Policy and other written policies aim to make our principle of compliance with Personal Data Protection Law (KVKK) and other relevant legal regulations regarding personal data security sustainable.

The scope of the Policy relates to all personal data processed automatically or non-automatically, provided that it is a part of any data recording system.

1.3. Implementation of the Policy and Related Legislation

The policy has been embodied and arranged within the framework of the principles set forth by the relevant legislation. In case of inconsistency between the current legislation and the Policy, then applicable law shall apply.

1.4. Enforcement of the Policy

The policy enters into force after being approved by the board of directors, published on the website ( and distributed to all Company employees via e-mail addresses.


Explicit Consent – Consent about a specific subject, based on information and expressed with free will

Anonymization/Anonymization Making personal data incapable of being associated with an identified or identifiable real person in any way, even by pairing it with other data

Employee – Company Employees

Employee Candidate – Real persons who have applied for a job at the Company by any means or have submitted their CV and related information to the Company for review.

Related/Relevant Person – Real person whose personal data is processed

Personal Data – Any information relating to an identified or identifiable person.

Processing of Personal Data – Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, preventing its use, classifying personal data by fully or partially automatic or non-automatic means, all kinds of operations performed on the data provided that it is a part of any data recording system.

Committee –  Personal Data Protection Committee within the Company

Board  –  Personal Data Protection Board

Institution – Personal Data Protection Institution

Turkish Personal Data Protection Law No. 6698 (‘Data Protection Law’) – Data Protection Law (in Turkish – KVKK No. 6698)

Personal Data of Private Nature – Data on race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data

Periodic Destruction Process – The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy.

Policy – Privacy and Protection of Personal Data and Processing Policy

Potential Customer – Persons, who have requested to use the Company’s services or who have been evaluated in accordance with the commercial practices and honesty rules.

Company – Viscol Petrokimya Sanayi ve Ticaret A.Ş.

Data Processor – A natural and legal person who processes personal data on behalf of the data Operator, based on the authority given by the data Operator.

Data Recording System – The registry system, directory, where personal data is processed and structured according to certain criteria

Data Operator – A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

Application Form to the Data Operator – The application form to be used by the Related Persons when using their applications regarding their rights in Article 11 of Data Protection Law (KVKK)

Deletion of Data – Making personal data inaccessible and non-reusable for relevant users in any way

Destruction of Data – Making personal data inaccessible, unrecoverable and unusable by anyone in any way

Visitor – Real persons who have entered the physical campuses owned by the Company for various purposes or visited the websites.


3.1. Processing of Personal Data in Compliance with the Principles Envisioned in the Legislation

3.1.1. Legal and Integrity Processing

All transactions to be carried out on personal data shall be complied with the law and the rules of honesty. In this context, by adopting the principle of transparency, Relevant Persons are informed about the purpose of using the collected personal data.

3.1.2. Ensuring Accurate and Up-to-Date Personal Data When Necessary

While carrying out personal data processing activities, a system and process is established to ensure that personal data is accurate and up-to-date.

In this context, Relevant Persons may make it possible to keep their personal data accurate and up-to-date by applying to the Company.

These applications are submitted in accordance with the Notice of Application Procedures and Principles for the Data Operator.

3.1.3. Processing for Specific, Explicit, and Legitimate Purposes

The purpose of processing personal data is clearly determined within legitimate and legal limits and is submitted to the Information of Relevant Persons through the Policy and other Formulations/Acts before the personal data processing activity begins.

3.1.4. Being Related, Limited and Moderate to the Purposes for which they are Processed.

Personal data are processed within the scope of the necessary purposes for the execution of the activity in a way that is related and proportional to the subject of the activity. In this context, while the data processing activity is being carried out, it is carefully avoided to process personal data that is not related to the realization of the purpose and is not needed at the moment or in the future.

3.1.5. Retention for as Long as Required for the Purpose of Processing or Envisioned in the Relevant Legislation

Personal data is retained only for the period specified in the relevant legislation or required for the purpose for which they are processed.

In this context, first of all, it is determined whether a period is determined in the relevant legislation for the storage of personal data, if a period is determined in the relevant legislation, action is taken in accordance with this period, if a specific period is not determined in the relevant legislation, then the required period is determined and personal data is maintained for this period. In this context, a storage and destruction policy is prepared and implemented for the deletion, destruction or anonymization of personal data.

3.2. Processing of personal data in accordance with Data Protection Law Article No. 5 and within its limits

Personal data is processed only on the basis of the explicit consent of the persons concerned or in cases where explicit consent is not requested under Data Protection Law 6698, i.e. without explicit consent.

3.2.1. Explicit Consent

Explicit consent is the free will declaration of the Related Persons on a specific subject and based on information.

According to Data Protection Law Articles No. 5/1 and 6/2, the explicit consent of Relevant Persons is obtained if necessary for personal data processing.

3.2.2. Circumstances Where Explicit Consent is Not Required

Data Protection Law Article No. 5/2 regulates the processing of personal data in some cases without the explicit consent of Relevant Persons.

In cases where data processing conditions are available, explicit consent is not applied, therefore, obtaining explicit consent from the Relevant Persons in the presence of one of the specified conditions is considered as misleading the Relevant Persons.

3.3. Processing of Private Personal Data

Due to the risk of causing greater victimization or discrimination of individuals when processed, maximum sensitivity is shown in the processing and protection of personal data determined as “special category”or “private nature” by Data Protection Law (in Turkish called ‘KVKK’).

Accepted principles regarding sensitive personal data are also discussed in the Policy.

If the person concerned does not give explicit consent, then the adequate measures will be determined by the Board and special categories of personal data can be processed in the following cases,

  1. a) Private personal data other than the health and sexual life of the person concerned in cases stipulated by law,
  2. b) Private personal data regarding the health and sexual life of the person concerned, but only for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning, financing and management of health services or persons or authorized institutions under the obligation of secrecy. It can be processed by organizations without seeking the explicit consent of the person concerned.

Additional measures and processes are determined regarding the processing of private personal data and access to these data.

In this framework, a separate procedure is established regarding the processing of special categories of personal data.

3.4. Transfer of Personal Data

Personal data can be transferred to supervisory institutions within the framework of audit activities, to authorized public institutions and organizations within the scope of the relevant legal regulations and fulfillment of legal obligations within the framework of the personal data processing conditions and purposes specified in Data Protection Law Articles No. 8 and 9, in cases of carrying out business and transactions with suppliers and business partners in the country and / or abroad, real persons to whom services are supplied and / or third parties to whom services are rendered.


4.1. Technical and Administrative Measures Taken by Our Company Regarding the Security of Personal Data:

Network security and application security are provided;

Disciplinary regulations that include data security provisions for employees are provided;

Training and activities raising awareness on data security are carried out periodically for employees;

Confidentiality commitments are made;

The authorizations of employees, who change job or quit their job in this field, are removed;

Up-to-date anti-virus systems are used;

Firewalls are used;

The signed contracts contain data security provisions/clauses;

Personal data security policies and procedures have been determined.

Personal data security issues are reported instantly;

Personal data security is monitored;

Necessary security measures are taken regarding entrance and exit to physical environments containing personal data;

The security is provided in the environments containing personal data;

Personal data is backed up and the security of the backed up personal data is also ensured.

User account management and authorization control system are implemented and monitored;

Existing risks and threats have been identified;

Other – Personal Data Inventory/Catalogue is prepared.

4.3. Protection of Private Personal Data of Special Category

Private data determined as special category by Data Protection Law is processed and sensitively protected in accordance with the law.

In this context, the protection of personal data is carried out in line with the relevant legal regulation and the decision of the “Adequate Precautions to be Taken by Data Operators while Processing Personal Data of Special Category” published by the Personal Data Protection Authority.

4.4. Process to Follow in Case of Unauthorized Disclosure of Personal Data

In case the processed personal data is obtained by others illegally, this situation is notified to the Related Persons and the Board within 72 hours.

If deemed necessary by the Board, this situation is announced on the website of the Board or in another way.

4.5. Personal Data Inventory

Each unit creates an up-to-date personal data processing inventory/catalogue.

The department manager is responsible for the accuracy and renewal of this inventory and its submission to the contact person when necessary.

Keeping inventories accurate, implementing up-to-date policies on the protection of personal data, and current developments in the protection of personal data are always monitored.


5.1. Subject of Application

The rights of Related Persons are given great importance and value, and they are provided with the opportunity to use these rights.

An “Application Form for Data Operator” is prepared and published on the website (, where the Relevant Persons can easily submit their requests.

However, Related Persons are not obligated to use this form. Every application made in accordance with the Regulations on Application Procedures and Principles to the Data Operator will be evaluated.

Everyone sending an application to our Company will be able to;

  1. Learn whether personal data is processed or not;
  2. If personal data has been processed, request information about it;
  3. Learn the purpose of processing personal data and whether they are used in accordance with its purpose,
  4. Know the third parties to whom personal data is transferred in the country or abroad;
  5. Request correction of personal data in case of incomplete or incorrect processing;
  6. Request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Data Protection Law;
  7. Request notification of the transactions if personal data has been transferred to third parties, as stated in subparagraphs (d) and (e);
  8. Object to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems;
  9. Ask for the compensation of the damage in case of loss due to unlawful processing of personal data.

5.2. Application Procedure and Address

Application Procedure – Address to Apply  –  Application Title

Application in person (the document proving his identity is necessary, if the applicant applies personally. A notarized power of attorney must be available, in case of application by an official representative) …………… “Information Request on Protection of Personal Data in accordance with Data Protection Law” will be written on the envelope.

Notification through a notary …………… “Information Request on Protection of Personal Data in accordance with Data Protection Law” will be written in the notification envelope.

E-mail  –  Via E-Signature/Mobile Signature …………… “Information Request on Protection of Personal Data in accordance with Data Protection Law” will be written in the subject part of the e-mail.

Application via Registered Electronic Mail (REM) address

……… “Information Request on Protection of Personal Data in accordance with Data Protection Law” will be written in the subject part of the e-mail.

The e-mail address registered in our systems (The e-mail address must have previously matched the identity in our systems.) ………… “Information Request on Protection of Personal Data in accordance with Data Protection Law” will be written in the subject part of the e-mail.

5.3. Post Application Process

Applications submitted to us are responded within 30 (thirty) days at the latest from the date of receipt of the request by our Company, depending on the nature of the request. Our responses are sent to the Data ,Operator on the basis of the notification form specified by the applicant in the Application Form.

In cases where the application is rejected in accordance with Article 14 of the Law, the answer given is insufficient or the application is not answered in due time, then the related person can forward complaints to the Board within thirty days from the date of our company’s response, and, in any case, within sixty days from the date of application.

5.4. Application Fee

According to the rules, applications are made free of charge. However, if the transaction requested by the person requires an additional cost, the fee in the rate determined by the Board will be charged by our Company.

5.5. Evaluation of the Application

The “Relevant Person Application Processes and Sample Application Response Procedure” is prepared and put into effect when the evaluation of the applications is made by the Related Persons.


In accordance with the regulation in Article 10 of the Protection Law, Relevant Persons are informed about the process of obtaining personal data through the Policy and Clarification  and other legal acts that are easily accessible on the website (

In cases where personal data is processed through security cameras, layered clarification texts are used for personal data processing in areas where security cameras are located and at key points of the cameras.

In the clarification texts, at least, the identity of the data operator, the purpose for which the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the Relevant Persons are included.


7.1. Purposes of Personal Data Processing

While processing personal data, the purposes and conditions in the personal data processing conditions should be analysed and limited as specified in Articles 5 and 6 of the Law. These purposes and conditions;

  • The processing of personal data is clearly stipulated in the law,
  • The processing of personal data is directly related to and necessary for the establishment or fulfillment of a contract,
  • The processing of personal data is mandatory for our Company to fulfill its legal obligations,
  • Provided that the personal data has been made public by the Relevant Persons, there will be limited processing for the purpose of publicizing,
  • The processing of personal data is mandatory for the establishment, use or protection of a right;
  • It is mandatory to process personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the Relevant Persons;
  • The implementation of the processing of personal data is necessary to protect the life or physical integrity of the subject or a person, when the subject cannot express his consent due to actual impossibility or legal inability;
  • In terms of special categories of personal data;
  • Private nature of personal data, other than the health and sexual life of the Relevant Persons, stipulated in the law (if there is no law provision, explicit consent by the Relevant Persons),
  • Persons or authorized institutions and organizations are under the obligation to keep confidential personal data regarding the health and sexual life of Relevant Persons for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing (if this is not the case, explicit consent should be presented by the Related Persons).

7.2. Terms of Retention of Personal Data

In case it is stipulated in the relevant legislation, personal data is stored for the period specified in this legislation. In addition, in determining the retention periods, obligations arising from the relevant contracts, administrative and legal responsibilities/obligations, risks and transactions that may arise in legal terms are also taken into consideration.

Personal Data Retention and Disposal Policy is created and implemented regarding the retention periods of personal data.

The processed personal data and personal data inventories are reviewed in 6-month periods and the personal data that needs to be deleted/destroyed are deleted/destroyed within these 6-month destruction periods and its record is kept.


The policy enters into force after being approved by the Company’s board of directors.

Changes are made in the Policy by the person(s) authorized by the board of directors. Matters related to the implementation of the Policy within the Company are systematized with internal policies, procedures and internal directives.

The policy is reviewed every 6 months and, if necessary, revisions are made with the approval of the authorized person.


A contact person is appointed within the framework of personal data protection law.

A Personal Data Protection Committee (“Committee”) of 5 people is formed among company departments and employees.

The Committee is chaired by the Company’s contact person.

The contact person takes into consideration the opinions and recommendations of the Committee on administrative and technical measures. The principles determined by the Committee regarding administrative and technical measures are taken into account.

The Committee makes every effort to comply with the Company’s personal data protection legislation. The contact person supervises the Company departments for which he is responsible within the scope of personal Data Protection Law. As a result of these audits, he warns the relevant departments when necessary and informs the senior management of the situation. The liaison ensures the coordination of responding to the applications of related person made to the Company within the legal deadlines and in accordance with the procedure.

The contact person manages the Company’s relations with the Personal Data Protection Authority.


The policy enters into force as of the date of acceptance and announcement by the Company’s board of directors/authorized bodies.