POLICY ON THE PROCESSING AND PROTECTION OF EMPLOYEE PERSONAL DATA
SMF SERT METAL KALIP SANAYİ VE TİCARET A.Ş. (“Company”) attaches great importance to the privacy and protection of its employees’ personal data. The Company makes every effort, within its technical capabilities, to ensure the best protection for the personal data it processes.
This Policy on the Processing and Protection of Employee Personal Data (“Policy”) applies solely and directly to the data (“Employee Data”) processed by and under the control of the Company, relating to current and former employees. In this Policy, personal data and special categories of personal data are collectively referred to as “data” or “personal data,” and any operations performed on such data, whether wholly or partially by automatic or non-automatic means—such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, making available, classifying, or preventing their use—are referred to as “data processing” or “processing.”
This Policy has been prepared to inform employees, in their capacity as data subjects, about which of their personal data is processed, in what manner, for what purposes, and for how long, as well as to ensure that personal data processing activities are conducted within a lawful and legitimate framework.
1. HOW IS EMPLOYEE PERSONAL DATA COLLECTED?
Personal data is collected through the following methods for the purposes outlined in the section “For What Purposes Does the Company Process Employee Personal Data?” and to implement the Company’s existing policies and procedures:
1.1. Provided directly by the employee: This includes data provided during job applications, recruitment, and throughout employment.
1.2. Derived and generated during employment-related processes: Such as job suitability, performance evaluations, training records, job changes, title, work schedule, meeting participation information, etc.
1.3. Generated in relation to non-job performance matters during employment: Such as disciplinary records, visual recordings from camera security systems, leave status, etc.
2. WHAT DATA IS COLLECTED?
Within the scope of the employment relationship between the Company and the employee, the categories of personal data processed under the Law No. 6698 on the Protection of Personal Data are listed below. Unless explicitly stated otherwise, the term “personal data” under this Policy includes the following:
2.1. Personal information: Name and surname, gender, marital status, identity information, national ID number, foreign ID number, date and place of birth, residence address, previous surname, contact details, education and training information, courses and seminars attended, certifications and professional qualifications, diploma or student certificate details, graduation year and degree, foreign language skills, military status, compulsory service obligations, computer literacy, insurance type and number, tax ID, driver’s license, transportation service details, previous employers and sectors, salary details, start and end dates, reason for leaving, tax base, passport details, photo, İŞKUR registration, travel restrictions/permissions, signature on official forms/contracts, hobbies, social, cultural, and athletic activities shared through CV.
2.2. Data related to work and workplace practices: Position, title, department and location, employment status, working hours and terms, compensation, seniority and benefits, job-related expenses/advances and details, individual pension contributions, entry date, earnings and premiums, bank account details, working conditions, job descriptions, training participation, goals and performance reviews, efficiency data, compliance with work ethics and policies, motivation, disciplinary actions, internal investigations, subordinate evaluations, payroll and severance details, workplace access hours, security camera footage, leave usage and reasons.
2.3. Data provided by the employee about family members or third parties: Spouse and children’s information (name, employment/income status, birth data, education), employee’s relatives working at the Company, references, and names of mother and father as recorded in personnel health files.
2.4. Special category data (all other data is considered general personal data by law): Religion and blood type (if on ID), criminal record including convictions and security measures, health status, disability details, private health insurance documents, medical history, diagnosis and treatment records, biometric data (such as fingerprint scans used for attendance if applicable at the workplace).
3. FOR WHAT PURPOSES DOES THE COMPANY PROCESS EMPLOYEE PERSONAL DATA?
The Company processes general and special categories of employee personal data primarily in the following cases: when expressly required by law; when necessary for the performance of a contract to which the data subject is a party; when necessary for the Company to fulfill its legal obligations; when the data has been made public by the employee; when processing is necessary for the establishment, exercise or protection of a right; and when it is necessary for the Company’s legitimate interests, provided that the employee’s fundamental rights and freedoms are not harmed. If any of these lawful grounds exist, the employee’s explicit consent is not required for processing. Outside of these exceptions, the Company processes employee personal data only with their explicit consent.
The purposes for processing employee personal data by the Company include:
Fulfilling legal obligations,
Assessing compatibility with the position, Company culture, employee profile, and working conditions,
Ensuring communication,
Executing HR procedures, maintaining and improving effective employee management, enabling decisions related to personnel management, career, and organizational development, managing rights such as wages, bonuses, pensions, insurance, and leave,
Tracking expenses and budget planning,
Monitoring assignments, evaluating qualifications, assessing eligibility for other roles, and managing recruitment/transition processes,
Evaluating employee performance and determining compensation, bonuses, and other entitlements,
Planning and tracking training/meetings,
Monitoring compliance with legal, contractual, and corporate obligations, investigating and preventing violations,
Ensuring and maintaining occupational health and safety,
Meeting management reporting needs,
Managing residence and work permit applications for foreign employees,
Enabling the Company and employees to exercise legal rights, benefit from legal privileges and entitlements,
Keeping and storing health records and reports (e.g., medical leave, cost management, fitness for duty),
Conducting disciplinary investigations and internal audits,
Monitoring employee attendance for operational continuity and safety,
Controlling employee access via doors/turnstiles, adjusting work hours, ensuring workplace safety, identity verification,
Fulfilling obligations under commercial contracts to which the Company is a party,
Managing and maintaining corporate relations,
Collecting and processing documents related to employee benefits, organizing campaigns/events, conducting surveys,
Maintaining a database of former employees or using data as evidence in legal disputes,
Providing new job opportunities to current employees and managing recruitment/job transition processes.
4. SECURITY
The Company takes reasonable precautions to protect data against loss, misuse, unauthorized access, disclosure, alteration, and destruction. Personal data is stored in secure physical environments and/or servers. Employees can access detailed information regarding these precautions in the Company’s “Policy on the Processing and Protection of Personal Data.”
5. SPECIAL CASES
5.1. Monitoring
Company communication systems and equipment (e.g., computers, mobile phones, email accounts) are intended solely for business use. Personal communication should not be conducted using these systems, and personal files should not be stored on Company devices. Technical support teams may access these systems remotely in case of malfunctions.
5.2. Surveillance Cameras
For security purposes, workplace premises are equipped with surveillance and recording systems. These records are monitored, stored, and audited by the Company and may be used in disciplinary investigations if necessary.
Training sessions attended by employees may be recorded or photographed and shared internally for awareness or to benefit those who could not attend.
5.3. Workplace Personal Health Files
In accordance with occupational health and safety regulations, personal health files are created and maintained for employees. These sensitive health records may be transferred to future employers upon request after the termination of the employment contract.
5.4. Time Tracking
Biometric systems (e.g., fingerprint scanning) may be used for accurate and secure time tracking. These systems do not allow copying or reuse of raw biometric data. The Company commits to using this data solely for the purposes stated herein.
5.5. Performance Data
Performance evaluations, targets, and results are accessible only to authorized managers and the HR department. Other employees or third parties cannot access this information.
6. WITH WHOM IS PERSONAL DATA SHARED?
The Company may share employee personal data with third parties and institutions for the purposes outlined in this Policy and under the exceptions listed in Articles 5 and 6 of the Law. Below is a list of the recipients, the type of data shared, and the purposes for which it is transferred:
| Recipient Group | Transferred Data | Purpose of Transfer |
|---|---|---|
| Banks | Identity data, payment details, contact information | Fulfilling legal and contractual obligations |
| OHS Providers & Healthcare Institutions | Identity data, health records, employee and family details in ID cards | Fulfilling legal and contractual obligations |
| Insurance Companies | Identity, pension contribution info, salary data, disabilities, health records, diagnoses and treatment costs | Fulfilling legal and contractual obligations |
| On-site Visited Firms & Local Authorities | ID data, OHS training records, job entry form, medical reports, criminal record, job title | Ensuring safety and fulfilling commercial contract obligations |
| Cargo Companies | ID data, address | Sending shipments to the employee |
| Travel Agencies | ID, contact, address, travel route | Managing business travel, visa, accommodation procedures |
| HR Service Providers | ID and passport data, prior residence/work permit data | Managing work/residence permit processes for foreign employees |
| Training Institutions | ID, title, education, qualifications | Planning training and certification processes |
| Client and Vendor Companies | ID, job title, project responsibility | Managing corporate relations |
| Mobile Network Operators | ID, assigned phone line details | Fulfilling legal and contractual obligations |
| Research Firms | Education, work experience, salary, title and level | Personnel management, organizational development, salary policy planning |
| Tax/Audit/Legal Advisors | ID, address, job title, personnel records, payroll details | Legal obligations, exercising rights, using legal privileges |
| Authorized Public Authorities & Judicial Bodies | Relevant data types depending on the nature of the legal process and requests | Fulfilling legal obligations and responding to official requests |
| Group Companies | ID, title, job start/end date, wage and performance data | Personnel and assignment management within the group |
7. INTERNATIONAL DATA TRANSFER
In the event of a business trip that requires a commercial visa, the Company may share the employee’s name, surname, Turkish ID number, and passport number with companies located abroad to obtain invitation letters.
8. YOUR RIGHTS REGARDING YOUR PERSONAL DATA
Employees have the right to apply to the Company to:
Learn whether their personal data is processed,
Request information if personal data has been processed,
Learn the purpose of processing and whether it is used appropriately,
Know third parties to whom personal data has been transferred domestically or abroad,
Request correction of incomplete or inaccurate data,
Request deletion or destruction of data under the conditions of Article 7 of the Law,
Request notification of these actions to third parties to whom data has been transferred,
Object to any outcome against them arising from automated data analysis,
Request compensation for damages due to unlawful data processing.
Employees may submit these requests to the Company in writing. The Company may respond in written or digital format with a reasoned decision.
As a rule, no fee shall be charged for these requests. However, if the process incurs a cost, the Company may charge a fee based on the tariff set by the Personal Data Protection Board (KVKK Board) pursuant to Article 13 of Law No. 6698.
9. DATA RETENTION PERIODS
Unless otherwise specified by legal requirements:
9.1. Personnel records are stored for 10 years after the calendar year in which the employment ends.
9.2. Personal health files (e.g., ID cards, medical reports) are stored for 15 years after termination of employment.
9.3. CCTV footage is stored for 90 days from the date of recording.
In case of intermittent employment, retention periods start after the end of the final employment term.
Details regarding data deletion, destruction, and anonymization can be found in the Company’s “Personal Data Retention and Destruction Policy.”
10. PRINCIPLES OBSERVED BY THE COMPANY WHEN PROCESSING EMPLOYEE DATA
When processing employee personal data, the Company observes the following principles:
Processing personal data in compliance with the law and the principles of honesty,
Ensuring that data is accurate and up to date when necessary,
Processing for specific, explicit, and legitimate purposes,
Being relevant, limited, and proportionate to the purposes of processing,
Retaining personal data only for as long as necessary for the purpose of processing,
Ensuring that data is processed in accordance with the purpose for which it is collected or further processed.
11. OUR MEASURES AND COMMITMENTS REGARDING DATA SECURITY
The Company is committed to protecting employee personal data securely. It takes technical and administrative measures to prevent unlawful processing or unauthorized access to personal data and to ensure secure storage, using appropriate methods and security technologies.
Special categories of personal data are processed only after taking additional security measures determined by the Personal Data Protection Board.
The Company undertakes not to disclose employee data to third parties or use such data for purposes other than those specified in this Policy and Law No. 6698 on the Protection of Personal Data. If personal data is shared with third-party service providers under this Policy, the Company ensures that these providers comply with the commitments stated in this section.
12. CHANGES TO THE POLICY
The Company reserves the right to update or amend this Policy as needed by publishing or notifying it within the organization. Any updates or amendments to the Policy shall become effective as of the date of announcement or notification.