EN
Shop

Detailed Product Search

Collection
Dimensions
Surface
Concept
Usage
Product Type
Color
Relief
Anti-slip
Thickness
Color Tone

Personal Data Breach Notification and Management Procedure

1. Purpose

This procedure has been prepared to define, in the event that personal data processed by Ege Seramik San. ve Tic. A.Ş. in compliance with Law No. 6698 on the Protection of Personal Data are unlawfully obtained by third parties,

  • The notification process of the breach to the “Data Subject” and the “Personal Data Protection Board”,
  • The measures to be taken to eliminate or minimize potential damages arising from the breach.

2. Scope

All recording environments and activities in which personal data belonging to employees, employee candidates, customers, suppliers, visitors, and other third parties are processed by Ege Seramik San. ve Tic. A.Ş.

3. Definitions and Terms

a) Employee: Personnel of Ege Seramik San. ve Tic. A.Ş.
b) Form: The “Personal Data Breach Notification Form” published by the Personal Data Protection Board with its decision dated 24.01.2019 and numbered 2019/10.
c) Law: Law No. 6698 on the Protection of Personal Data.
d) Personal Data: Any information relating to an identified or identifiable natural person.
e) Board: The Personal Data Protection Board.
f) Authority: The Personal Data Protection Authority.
g) Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
h) Potential Data Breach: A situation within the Company that potentially creates a risk of a data breach, identified by employees.
i) Data Subject: The natural person whose personal data is processed and who is affected by the Data Breach.
j) Data Controller: Ege Seramik Sanayi ve Ticaret A.Ş.
k) ES PDP Board: Ege Seramik San. ve Tic. A.Ş Personal Data Protection Board.
l) Stakeholder: Parties affected by the Company’s activities or who affect the Company’s activities, such as employees, customers, suppliers, shareholders, etc.

4. Responsibilities

Employees

  • To immediately notify the ES PDP Board of any data breach or potential data breach,
  • To comply with the instructions given by the ES PDP Board,
  • To implement the Personal Data Breach Notification and Management Procedure.

Stakeholders: All stakeholders of Ege Seramik San. ve Tic. A.Ş. are obliged to cooperate in the event of a data breach.

ES PDP Board: Responsible for analyzing personal data breaches or potential breaches and taking measures to eliminate vulnerabilities and prevent recurrence (fulfillment of the requirements under Table-1 “Examination of the Breach”, “Analysis of Possible Consequences” and “Measures”).

Data Contact Officer: Responsible for notifying the PDP Board and the Data Subject of the personal data breach.

General Manager: Chairs the ES PDP Board and is responsible for informing the Holding Finance Group Presidency in the event of a personal data breach or potential breach.

5. Personal Data Breach

Ege Seramik San. ve Tic. A.Ş. maintains Personal Data accurately and up to date through the following methods:

  • Daily backups
  • Firewall
  • Antivirus software
  • Encryption systems and access restrictions for online environments
  • Card, key, and password-controlled access systems for rooms and cabinets
  • Confidentiality agreements and undertakings.

In the event of a personal data breach or potential breach arising from unlawful processing, access, acquisition of Personal Data within the Company’s area of control, or the circumvention of technical and administrative measures taken by the Company to protect Personal Data by unauthorized persons, the following three main steps are followed:

  • Analysis
  • Notification
  • Measures

The detailed steps to be followed in case of a personal data breach or potential breach are provided in Table-1.

Table-1: Steps to Be Followed in Case of a Personal Data Breach

1- ANALYSIS
1.1
Examination of the Breach		 In the event of a personal data breach or potential breach, the following information is collected:
a) Date and time of the breach
b) Source of the breach
c) Which personal data and data subject groups were affected
d) Number of persons affected
1.2
Analysis of Possible Consequences		 To identify potential issues arising from the breach or potential breach, the following are examined:
a) The purposes for which the breached data may be used
b) Whether there is a risk to other personal data/systems
c) Potential effects of the breach
d) The level (Low - Medium - High) at which data subjects may be affected
e) The level (Low - Medium - High) at which Ege Seramik San. ve Tic. A.Ş. may be affected
f) Recovery time
2- NOTIFICATION
2.1
Notification to the PDP Board		 In the event of a Data Breach, notification to the Board shall be made in accordance with the Board’s decision dated 24.01.2019 and numbered 2019/10. The breach shall be reported to the Board within 72 hours from the date it is detected. If 72 hours are insufficient due to justified reasons, the reason for the delay shall be explained in the late notification.

The notification shall be made by filling out the relevant Personal Data Breach Notification Form via the “Create Notification” link on the Authority’s website. If it is not possible to provide all information in the form at once, the missing information shall be obtained and submitted progressively without undue delay.
2.2
Notification to the Data Subject		 In the event of a Data Breach, affected persons shall be informed as soon as reasonably possible, directly if their contact details are available, or via publication on the Company’s website if not. The notification shall include at least:
a) When the breach occurred,
b) Which categories of personal data (distinguishing between personal data and special categories of personal data) were affected,
c) Possible consequences of the breach,
d) Measures taken or recommended to mitigate adverse effects,
e) Contact details of responsible persons or communication channels (such as the website address or call center).
3- MEASURES
Measures to eliminate vulnerabilities and prevent recurrence include:

1. Evaluating the adequacy of preventive measures in place prior to the breach.
2. Taking technical and administrative actions after the breach to mitigate its effects and prevent recurrence.
3. Providing periodic training to employees on personal data protection.

6. Publication of the Procedure

This procedure is published electronically (QDMS) and disclosed to the public on www.egeseramik.com. It enters into force upon publication on the Company’s website.

7. Update of the Procedure

The procedure is reviewed at least once a year and updated where necessary.

The most up-to-date version of the Policy can be accessed via www.egeseramik.com.