PROTECTION OF PERSONAL DATA AND CONFIDENTIALITY POLICY

Purpose

We give utmost importance to the privacy of your life and your personal information. As ALD Automotive Turizm Ticaret A.Ş. (“ALD Automotive” or “Company”), we are using our best efforts to lawfully process and protect the personal data belonging to the employees, customers, business partners, authorities, potential customers, employee candidates, interns, visitors and suppliers of ALD SA or ALD Automotive as well as to the employees of the companies/customers/suppliers with which we cooperate in our business (e.g. drivers of leased cars, contact points for the customers from company-to company, fleet managers etc.) including but not limited to third persons and other persons (these persons will be hereinafter referred to as  “Data Subject” or “Data Subjects”). Therefore, this Protection of Personal Data and Confidentiality Policy (“Policy”) has been prepared in order to give information about how do we collect, process and protect your personal data and for which purposes do we use them.     

In addition, this Policy has been developed to ensure processing of personal data by our Company in the course of its activities as per the relevant provisions in the applicable legislation including especially in the Law on Protection of the Personal Data numbered 6698 (“LPPD”) and resolutions of the Personal Data Protection Board (“Board”), guidelines and documents published by the Personal Data Protection Authority (“Authority”). This policy further confirms our Company’s intention to make lawful processing of personal data as an essential policy of the Company and to bring transparency by providing information to the Related Persons about the personal data processed by our Company. As already detailed in this Policy, we will process your personal data in line with the principles and rules set forth below. 

THE PRINCIPLES WE ADOPTED IN PROCESSING YOUR PERSONAL DATA

This Policy describes the importance we give to the privacy of your personal data as ALD Automotive. We will now attempt to describe the methods we employ in the collection of your personal data and how we use them. Please read this part carefully and help us in making the relevant process as transparent, fair and safe as possible for your benefits. 

The principles set out below are taken as a basis in the processing of your personal data as per Article 4 of the LPPD:

  • Processing in accordance with Law and Rule of Honesty: Our Company is acting in line with the principles set forth by law and also with the rule of honesty and reliability while processing your personal data. Our Company takes into account principles of proportionality in processing of your personal data and does not use personal data for any purpose other than the intended purpose.
  • Ensuring that Personal Data are Correct and Up-to-Date: Our Company takes into account the fundamental rights of the personal data owners and its own legitimate interest and on that basis, it ensures that personal data processed are correct and up-to-date.
  • Processing for Definite, Clear and Legitimate Purposes: Our Company has set for itself a very clear and definite goal about processing personal data only in line with legitimate purposes and law. Our Company is processing personal data only in connection with and to the extent necessary for the products and services offered by us.
  • Personal Data being Related and Limited to and Proportionate with the Purpose of Processing: Our Company is processing personal data in such manner allowing it to achieve the predefined purposes of processing and avoids from processing personal data that are not related to these purposes or that are needed in our processes. 
  • Retaining Personal Data as long as Needed for the Processing Purposes or as Required under the Applicable Legislation: Our Company will retain the personal data processed only for the period required under the applicable legislation or for the specific purpose of processing. In that regard, our Company first determines whether personal data must be retained for a specific period required under the applicable legislation and if such period is prescribed by law, our Company acts accordingly and if no such period had been defined, we retain the personal data processed by us only as long as necessary for the specific purpose of processing them. At the expiration of this time period or ceasing of the reason behind the specific processing purpose, personal data will be deleted, destroyed or made anonymous by our Company.

HOW DO WE ASSURE SAFETY AND INTEGRITY OF YOUR PERSONAL DATA?

Pursuant to Article 12 of LPPD, we are taking technical and administrative measures to achieve suitable level of safety in order to prevent illegal processing of and access to the personal data and ensure lawful protection of personal data. In that regard, we are organizing audits in our premises as per Article 12 of LPPD.

If personal data are unlawfully collected or processed by others, we have in place a system enabling us to inform the Related Persons and the Board as soon as possible or in any case within 72 hours after we became aware of that breach. If the Board deems it necessary, this unlawful processing may be also announced on the website of the Board or by some other method.

In our Company, only teams and employees who need to know your personal data are given access to that data. For that purpose, we developed various policies and took all kinds of security measures to keep the files of employees, consultants and service providers confidential. Now, we will give information about the principal technical and administrative measures taken to prevent illegal processing and accessing of personal data and ensure lawful protection of personal data:

Technical Measures

In the protection of the personal data collected, we are using generally accepted standard technologies and operational safety methods including the standard technology named as Secure Socket Layer (SSL). However, because of the intrinsic nature of the Internet, personal data may be accessed on the networks by unauthorized persons who could override the security measures. Therefore, we take certain technical and administrative measures in order to protect your personal data against risks of destruction, loss, alteration, unauthorized disclosure or unauthorized access depending on the current status of the technology, cost of technological practices and nature of the data to be protected. For that purpose, we enter into non-disclosure agreements with our service providers in order to assure security of personal data.  

1. Assuring cyber security: We are using cyber security products in order to assure security of your personal data but technical measures we normally take are not only limited to such cyber security products. Measures such as firewall and gateway stand as the first line of defense against the attacks coming from the Internet. Almost all of the software and hardware pass a certain installation and structuring process. Any software or services that are not used any more are removed from the devices since some of the most commonly used software could have documented security gaps. Therefore, we prefer to delete such software and services instead of trying to maintain their current version, because this is easier. With the patch management and software updates, proper operation of the software and hardware is enabled, and regular controls could be made to determine level of success achieved by the security measures taken.

2. Access Limitations: Access authorities used to access the systems containing personal data are restricted and regularly reviewed. In that regard, access authorities are granted to the employees only to the extent needed for their authorities and responsibilities arising from their jobs and duties and access is enabled to the relevant systems by using a username and password. While creating such passwords, combinations containing upper and lower cases, numbers and symbols should be preferred to the series of numbers and letters that are related to personal data or that could be guessed easily. Access authorization and control matrix is developed accordingly.

3. Encryption: In addition to strong password use, certain methods are employed for putting limitation on the access and for protection from commonly seen attacks such as brutal force algorithm (BFA) involving restricting the number attempts to be made to enter the password, ensuring regular change of passwords, opening the manager accounts and admin authorities only when it is absolutely needed and other measures taken immediately after an employee is removed such as deletion of his/her account or denying the login.

4. Anti-Virus Software: In addition to above mentioned measures, products such as antivirus and antispam are used to regularly scan the information system network and to detect the threats in order to be protected from malicious software and these products are also updated and relevant files are scanned periodically. However, if personal data will be obtained from different Internet sites and/or mobile application channels, care is taken to make the connections via SSL or safer method.

5. Following-up Personal Data Security: For that purpose, it is controlled which software and services are operated in the communication networks; any leakage from or unexpected incident involving the communication networks is determined without delay; records of the transactions made by all users are kept regularly (such as login records); and security problems are reported as soon as possible.  An official reporting procedure has been also developed in order to help the employees to report the security gaps in the systems and services as well as those threats using these gaps. Evidences are collected and safely maintained when there is a threat involving collapse of the communication system, use of malicious software, attacks to keep out of service, entrance of deficient or incorrect data, breaches involving confidentiality and integrity of data and abuse of the communication system.

6. Ensuring Security of those Media containing Personal Data: If personal data are maintained in the devices or on the documents kept at the premises of the data controller, physical security measures are taken against certain threats such as loss and stealing of these devices and documents. Physical environments containing personal data are protected against external risks (e.g. fire, flood, etc.) and entrances/exits to/from these environments are controlled.

If personal data are kept in electronic environment, access between the network components is restricted or the components are separated in order to prevent a potential personal data security breach. For example, if personal data are processed only in a specially allocated part of the network used for that purpose, available resources could be allocated to ensure security partially if not in the entire network.

Same level of measures is taken in connection with the hardcopy environments, electronic environment and devices containing personal data belonging to the Company, which are available outside the Company’s premises. Actually, personal data security breaches mostly occur because of the loss or stealing of those devices containing personal data (i.e. laptops, mobile phones, flash disks etc.) but personal data to be provided in an e-mail or by postal service is sent very carefully after taking sufficient measures. If the employees gain access to the information system network by using their personal electronic devices, sufficient security measures are taken to protect them.

Access control authorization and/or encryption methods are used against the risks of loss or stealing of those devices containing personal data. For that purpose, encryption key is kept in an environment that could be accessed only by authorized persons and all unauthorized access attempts are prevented.

Hardcopy documents containing personal data are kept in locked cabinets that could be accessed by only authorized persons and all unauthorized access attempts to these papers are prevented. 

Pursuant to Article 12 of LPPD, it is our Company policy to inform the Board and data owners immediately after becoming aware of an illegal access to their personal data by unauthorized persons. The Board may announce that breach on its website or by using another method deemed necessary.

7. Storage of Personal Data in the Cloud: If personal data are stored in the cloud, the Company must assess the adequacy and appropriateness of the security measures taken by the cloud storage service provider. In that regard, scope of the personal data stored in the cloud is known in detail and backups are taken from that data, while ensuring synchronization and a two layered identification control is employed for distant access to the personal data when necessary. During storage and utilization of the personal data contained in these systems, data is encrypted with cryptographic methods and transferred to the cloud environments only after they are encrypted and separate encryption keys are used for the personal data in each possible environment, especially for each cloud solution used. Upon termination of the cloud communication services relationship, all copies of the encryption keys that could be used to render personal data useable are destroyed. Accesses to the data storage areas containing personal data are logged and improper accesses or access attempts.   

8. Supply, Development and Maintenance of Information Technologies Systems: The Company will take into account security requirements when it is determined that the Company needs to supply and develop new systems or to improve existing systems. 

9. Taking Backups from Personal Data: The Company aims to restart its activities as soon as possible by using the backed-up data when the personal data are damaged, lost, stolen etc. due to any reason whatsoever. Access to the backups of personal data will be granted only to the system manager and backup data sets are maintained outside the network. 

Administrative Measures

  • All activities carried out by our Company are analyzed in detail for each department and as a result of this analysis, a processed based personal data processing inventory has been developed. Risky areas in this inventory are determined and necessary legal and technical measures are taken at all times. (For example, documents to be prepared under LPPD are prepared after taking into account the risks affecting this inventory.)
  • Personal data processing activities carried out by our Company are audited with the use of information security systems, technical systems and legal methods. Policies and procedures are developed about the personal data security and regular controls are made. 
  • Our Company sometimes procures the services of external service providers in order to meet its information technologies requirements. In such cases, our Company first becomes sure that such external service providers processing personal data have established and use those security measures at least as strict as those used by our Company. In this case, a contract containing the elements listed below as minimum will be signed with the data processor:

o   The data processor must act in accordance with LPPD and other applicable legislation in relation to the purpose and scope of data processing to be made in line with the instructions of the data controller,

o   The data processor must act in according with the Policy on Storage and Destruction of Personal Data,

o   The data processor must have an indefinitely valid confidentiality obligation in connection with the personal data processed by it, 

o   The data processor must inform the data controller immediately after any data breach,

o   Our Company will be entitled to make necessary audits on the data processor’s systems containing personal data and to conduct on-site inspections on the audit reports and operations of the relevant service provider, 

o   Data processor must take all technical and administrative measures to ensure security of personal data, and

o   Categories and types of the personal data transferred to the data processor will be provided under a separate section to the extent possible due to the nature of our relationship with the data processor. 

  • As already emphasized in the guidelines and publications published by the Authority, personal data are reduced to the minimum in line with the data minimization principle and unnecessary, out-of-date personal data or personal data that do not serve a special purpose are not collected and if such data had been collected in the period before LPPD, they shall be destroyed in accordance with the Policy on the Storage and Destruction of Personal Data. 
  • Expert personnel will be employed to deal with the technical issues.
  • Our Company has determined specific provisions for confidentiality and data security, which must be integrated into the Employment Contracts to be signed with the employees and expects its employees to act in conformity with these provisions. The employees are regularly informed and trained about the law on the protection of personal data and measures to be taken under this law. Roles and responsibilities of the employees have been reviewed, with the job descriptions revised according to these provisions.
  • Technical measures are taken according to the technological developments and the measures taken are periodically controlled, updated and replaced.
  • Access authorities are restricted and these authorities are regularly reviewed.
  • All technical measures taken are reported to the superior officer and any risky areas are reviewed again in order to produce technological solutions to the relevant problems.
  • Software and hardware including antivirus systems and firewalls are installed.
  • Backup programs are used in order to safely store the personal data.
  • Security systems are used for the storage areas; technical measures taken are periodically reported to the relevant personal as a requirement of internal controls; any risky areas are evaluated again and necessary technological solutions are developed. Files/printouts stored in physical environment are maintained through the supplier firms and then destroyed in line with the relevant procedures.  
  • Top management is deeply committed to the achieve sufficient protection of personal data and a special committee has been created for that purpose (“the Committee”) and started its activities. A management policy regulating the working principles of the Committee has been put into force in the Company and duties of the Committee have been described in detail. 

WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?

Pursuant to Article 11 of LPPD, you as a Data Subject, have the following rights in connection with your personal data: 

  • Learning whether your personal data was processed by our Company,
  • Requesting information about the personal data processed, if any,
  • Learning the purpose of processing of your personal data and whether they are used in line with that purpose,
  • Knowing the identity of third persons to whom your personal data was transferred in and out of the country,
  • If your personal data was processed deficiently or incorrectly, requesting correction of your personal data and also demanding that this process made on your personal data is notified to the third persons to whom your personal data was transferred in and out of the country,
  • Requesting deletion or destruction of your personal data when the reasons requiring data processing cease to exist although your personal data had been processed in accordance with LPPD and applicable laws and also demanding that this process made on your personal data is notified to the third persons to whom your personal data was transferred in and out of the country, 
  • Raising objection against the results developing against you because of analysis of the processed data exclusively by the automated systems, and
  • If you had suffered losses due to illegal processing of your personal data, claiming recovery for these losses.

You may forward any of these demands to our Company without any extra charge by using any of the methods listed below pursuant to the Communique on the Methods and Principles for the Applications to the Data Controller:

  1. By clicking on the Link, you will access to the Information Request Form and after completing this form with your wet signature, you must personally deliver it to ALD Automotive Turizm Ticaret A.Ş. at the address Kavacık Ticaret Merkezi, Rüzgarlıbahçe Mahallesi, Çam Pınarı Sokak No:1 B Blok, Beykoz İstanbul.
  2. By clicking on the Link, you will access to the Information Request Form and after completing this form with your wet signature, you must deliver it to ALD Automotive Turizm Ticaret A.Ş. at the address Kavacık Ticaret Merkezi, Rüzgarlıbahçe Mahallesi, Çam Pınarı Sokak No:1 B Blok, Beykoz İstanbul through a notary public.
  3. By clicking on the Link, you will access to the Information Request Form and after completing this form with your “safe electronic signature” or mobile signature as per the Electronic Signature Law numbered 5070, you must send the signed the form to the address kvk.tr@aldautomotive.com through an electronic mail address not included in our system.
  4. By clicking on the Link, you will access to the Information Request Form and after completing this form, you must send it to the address kvk.tr@aldautomotive.com by using a registered electronic mail (KEP) address
  5. By clicking on the Link, you will access to the Information Request Form and after completing this form, you must send it to the address kvk.tr@aldautomotive.com through an electronic mail address included in our system.

In this application,

Name/surname must be present and if it is a written application, it must bear your signature, including your TR Identity Number for citizens of Republic of Turkey and nationality, passport number or identification number, if any, for the foreigners and residence addresses or work address at which notices will be received, electronic mail address, if any, for receiving notices, phone and fax number and nature of the request. Any information and documents relevant for the matter in question will be attached to the application.  

Third persons have no right to act on behalf of the Data Subjects in order to exercise their rights regulated under Article 11 of LPPD. In order for a person other than the Data Subject to make a request about the personal data of that Data Subject, he/she must submit the wet signed and notary attested special power of attorney issued in the name of the person who will file the application on behalf of the Data Subject. In the application you will file in order to exercise above-mentioned rights available to you as a Data Subject, which will contain your explanations about the specific right you wanted to exercise, your request must be expressed clearly and in an easily understandable manner; your request must be directly related to your person or if you are acting on behalf of another person, you must have specially authority for this action, which must be documented and your identification and address details must be added to the application and documents confirming your identity must be attached to the application.   

If the process requested by a Data Subjects brings extra costs, the fee indicated in the tariff determined by the Board may be charged by our Company. The method of payment for this fee will be indicated on the Application Form. 

If Data Subjects forward their requests to our Company by using any of the methods detailed in this Policy, our Company will finalize the request as soon as possible or in any case within 30 (thirty) days depending on the nature of that request.

In order to determine whether the applicant is a Data Subject, our Company may request information/documents from the Data Subject. Our Company may also direct questions to the Data Subject in order to clarify the issues mentioned in his/her application.

If this application is denied or response given is found insufficient or no response is given to the application on a timely basis, the Data Subjects may file an objection to the Board within 30 (thirty) days after learning about the response given by our Company and in any case within 60 (sixty) days following the application date.

UNDER WHICH CONDITIONS DATA SUBJECTS CANNOT ASSERT THEIR RIGHTS?

Data Subjects may not assert the rights available to the personal data owners under the following conditions since they are kept out of the scope of LPPD as per Article 28 of LPPD:

o   Processing of personal data for the purpose of research, planning and statistics by making them anonymous through official statistics,

o   Processing of personal data for the purpose of arts, history, literature or scientific purposes or as part of the freedom of expressions provided that national defense, national security, public security, public order, economic security, privacy of private life or personality rights are not infringed or such processing does not constitute any crime,  

o   Processing of personal data as part of preventive, protective or intelligence activities carried out by the public authorities delegated by law in order to ensure national defense, national security, public security, public order or economic security, or   

o   Processing of personal data by judicial authorities or enforcement authorities in connection with an investigation, prosecution, trial or enforcement.  

Pursuant to Article 28/2 of LPPD, the personal data owners may not exercise their rights in the following circumstances except for the right to claim recovery of the losses: 

o   When processing of personal data is necessary to prevent crime or conduct a criminal investigation, 

o   Processing of personal data that entered into public domain through the efforts of the relevant data owner,

o   When processing of personal data is necessary in the conduct of audit duties or regulatory duties and in the performance of a disciplinary investigation or prosecution by the public authorities or occupational organizations considered as public institution based on the authority granted by law, or  

o   When processing of personal data is necessary to protect the economic and financial benefits of the states in connection with the budget, taxation and financing issues. 

WHEN DO WE COLLECT YOUR PERSONAL DATA?

We will collect your personal data in the following conditions:

  • When you purchase or use our products or services including renting corporate cars and sale of second hand vehicles,
  • When you sell us goods or provide us with your services,  
  • When you subscribe to our news bulletins or prefer to receive our marketing messages,
  • When you make contact with us through phone, e-mail etc. in order to forward your requests, objections or feedback, 
  • When you apply to our Company for a job,
  • When you participate into our activities, seminaries, conferences or other organizations,  
  • When you establish communication with us for any purpose whatsoever as potential customer / supplier / business partner / sub-employer,
  • When you visit our headquarters,
  • When have access to or use our website, mobile or digital applications, and 
  • When you interact with our Company through our call center, contracted dealers etc. 

We will process the personal data obtained in the above-mentioned conditions only in line with the requirements of this Policy. 

CATEGORIES OF DATA SUBJECTS

You may find the categories of Data Subjects whose personal data are processed by our Company as listed below. Besides that, any persons not included in one of the categories listed below are entitled to forward their requests to our Company under LPPD and these requests will be evaluated like the other ones.   

4
 

FOR WHICH PURPOSES ARE WE USING YOUR PERSONAL DATA? 

Our utilization purposes for your personal data vary depending on the type of our business relationship with you (e.g. customer, supplier, business partner, etc.). As ALD Automotive Turizm Ticaret A.Ş., we will use your personal data for the purposes listed below and these purposes change depending on the specific services provided.

(i)   Management of the existing relationship with you and your company at a general level (ALD Automative Affiliates); giving responses to the potential requests; opening customer accounts; fulfilling the orders you had given for services and for the related activities; management of events / incidents; forwarding you information about your contract; giving responses to your questions and requests; providing customer services; account management and providing account support services; training of our personnel engaged in these activities and providing you with other account-related services;

(ii)   For partners: fleet management services supported with reports and other practices; main accounts; providing help to the call-center and follow-up services for international main account fleets;

(iii)   For the purpose of managing international customer relations (ADL SA); performing customer satisfaction surveys and quality measurements in the course of relations managed by ADL SA at global level within the scope of rent-a-car activities carried out with its subsidiaries; gathering quality information/data from whole world in order to determine the quality of the services provided by the Company at a global level; presenting to the management the results of the surveys conducted about customer satisfaction about the products, services or contents and following-up customer requests and after-sales services;

(iv)   Presenting customer satisfaction surveys to the professional traders for the purpose of remarketing the rent-a-car services (executed by the Affiliates of ALD Automotive) over the online platform used for the marketing of those used cars under the lease contracts;

(v)   Comparing invoices with the profitability targets and providing financial reporting on various matters to ALD Authorities (from the Sales, Procurement, Finance and Risks, Pricing and Insurance Departments) including operational performance of ALD Group, purchases and pending legal cases; 

(vi)   Presenting car tracking applications to the drivers (for example Ecodrive) or offering fleet management tools to the managers;

(vii)   Reporting to the customers results of the customer satisfaction surveys;

(viii)   Marketing purposes: Subject to your prior consent, we may use your personal data in order to inform you about new offers or services or special offers that we believe to be important or in order to send you marketing messages and news; we may analyze your customer profile and preferences or we may carry out multi-channel marketing campaigns by contacting with you via automated means, SMS, e-mails or sending you brochures;   

(ix)   Customer satisfaction: Based on targeted marketing tools and analysis, we may send you surveys enabling you to make qualitative analysis about our products and services;

(x)   We may invite you to join marketing activities, games or tests through our mobile applications and/or web sites;

Web Sites and Cookies and News Bulletins: We may collect your personal data through cookies in order to retain your preferences and parameters so that you can gain time (for example language preferences); help you to login our site; fight with fraud; and analyze the performance achieved by our services provided on our web site and in this manner, we could support your browsing activities at our site and enrich our experiences with you;

That type of information helps us to improve our web sites and applications and to better understand the products and services you may prefer.

We also use these cookies to conduct web analyses that are helpful in measuring the activities carried out on the web sites and determining the mostly visited areas in the web sites.

Although we are using functional cookies in order to facilitate your visit to our web sites or applications, you may inform us about your preferences relating to the cookies used in the behavioral targeting advertising by changing the privacy settings on your browser. Such preferences include demanding storage of information on the terminal or preventing processing of the information already stored on this terminal and they will be functional unless you activate the feature allowing storage or processing.

(xi)   Creating customer profiles: We may use your personal data in order to better understand any areas of concern or interest coming from you; improve our web site and services; customize your experiences with us and shape our marketing activities according to your needs and areas of interest. We sincerely believe that providing better services to you and responding to your needs in line with the applicable regulations will also help us in our activities. 

(xii)   Execution of data processing for the purpose of knowing your customer, credit checks and customer scanning through the use of white labeled partnerships established with international customers (i.e. customers of ALD Automotive and customers having direct relations with ALD SA) and carrying out customer rating activities;  

(xiii)   We will also use your personal data for legal, administrative or audit purposes and for keeping work records. Finally, we will use your personal data to meet the data processing requirements arising from insurance and legal affairs.

FOR WHICH LEGAL REASONS DO WE PROCESS YOUR PERSONAL DATA?

We will process your personal data for the following legal reasons regulated under Articles 5 and 6 of LPPD in line with the Turkish Commercial Code numbered 6102, Turkish Code of Obligations numbered 6098, Tax Procedure Law numbered 213 and applicable legislation in electronic trade:

7 

Where your personal data can be processed only with your explicit consent, we would like to importantly remind you that if you withdraw your explicit consent, you will be removed from the commercial membership program where processing is made only with explicit consent and you will not be allowed to benefit from the advantages provided you with the help of this processing as of the relevant date.

HOW DO WE PROCESS YOUR SENSITIVE PERSONAL DATA?

Under Article 6 of LPPD, information about your race, ethnical origin, political thoughts, philosophical beliefs, religion, sect and other faith, dressing style, membership to associations, foundations or trade union, health-care data, sexual life, criminal conviction and data relating to security measures and biometrical and genetic data are considered as sensitive personal data and processing of sensitive personal data is subject to stricter protective measures.

In line with Article 10 of LPPD, we will clarify the Data Subjects while we attempt to obtain their sensitive personal data. In that regard, we will provide clarification about ALD Automotive and identity of its representative, if any; specific purposes of processing sensitive personal data; specific parties to which sensitive personal data will be transferred and purposes of transfer; methods employed in collecting sensitive personal data and legal reasons of collection of the same; and rights available to the Data Subjects under Article 11 of the LPPD.

As a rule, we obtain the explicit consent of Data Subjects in writing in order to process their sensitive personal data. However, pursuant to Article 6/3 of the LPPD, explicit consent is not required from the Data Subjects if any of the conditions listed in Article 5/2 of LPPD is met. However, we always obtain the explicit consent of Data Subjects when our activities and processes are not within that scope. In such cases, we offer the Data Subjects the chance to give their explicit consent only for a certain matter or based on information given to them or to express their consent with their free will. However, these conditions do not apply when it is necessary to process personal data relating to health and sexual life of the person. If it is necessary to process the personal data relating to health and sexual life, we obtain their explicit consent in line with the provisions of Article 6/3 of the LPPD.    

We are processing sensitive personal data only after taking proper measures according to the LPPD and making necessary audits. 

WHAT KIND OF PERSONAL DATA DO WE COLLECT?

We are collecting all of the personal date described below: 

  • Identity details, e.g. your name, surname, birth date;
  • Contact details, e.g. city, home phone/mobile phone number or e-mail address;
  • Professional information, e.g. your profession or work address;
  • Financial information, e.g. credit acceptance date;
  • Information about private life, e.g. your sex, nationality; 
  • Education information, e.g. languages spoken;
  • Information about your preferences and habits, e.g. the car you like most;  
  • Your voice, your call may be recorded when you dial ALD Automotive Customer Services;
  • Driver data, e.g. number/copy of your driving license or number of driver license with employee code;
  • Any other information that you decided to share with ALD Automotive on your own, e.g. personal data you shared on your own decision; feedbacks, opinions, demands, complaints, evaluations, critics you shared with us and our evaluations about them; uploaded files; areas of interest; information given for our detailed examination process to be completed before we decide to establish a business relationship with you;
  • Legal procedures and compliance information, e.g. your personal data processed for determining our legal receivables and rights and paying our liabilities; fulfilling our legal obligations; complying with our policies and data obtained during inspections and surveys;
  • Data belonging to corporate customers/suppliers, e.g. information obtained about the data owner customers/suppliers or about the data owners such as employees or authorized signatories employed by the customer/supplier as a result of our operations conducted by our business units within the framework of our services;
  • Incident management and security information, e.g. information collected and evaluations made about the incidents that might potentially make an impact on our Company, its employees, managers and shareholders; details of vehicles and plate number; transportation and travel information.

We may also collect your personal data indirectly from our business partners or our on social media platforms. 

We may take your personal information either directly from you (when you create an account on one of our web sites or purchase a product) or collect that information passively (by using follow-up tools such as scanning cookies) or from the third parties (e.g. over our social media platforms).  

COOKIES AND OTHER TRACKING TOOLS

We may collect certain information by automated means using technologies such as cookies, pixel labels, browser analysis tools, server logs and web markers (e.g. Google Analytics) in order to improve your experiences when you visit our web sites or use our mobile applications.

When you use our web sites, we may collect information about the browser you use and your browsing behaviors. 

If you are using our mobile application, we may collect information about your GPS location subject to your consent. We may also learn with which frequency you are using the application and from which source you downloaded the application.

VEHICLE OPERATIONS  

If your company is using our rent-a-car services, we may collect information about the relevant vehicle (vehicle’s registration card and data about the last examination made on the vehicle) and information about the driver behaviors (such as average speed) in order to provide you with the vehicle renting services in accordance with the contract and issue invoices to you or to your company.    

PROCESSING PERSONAL DATA OF EMPLOYEE CANDIDATES

In addition to the above-mentioned categories of personal data, we collect other personal data from the employee candidates about the school they graduated from, previous work experiences, any disability condition etc. in order to understand the candidate’s experiences and qualifications and evaluate whether he/she is fit for that open position; control accuracy of the information provided when necessary; make research about the candidate by contacting the third persons whose contact details were given by the candidate; make communication with the candidate in the job application process; make employment according to the open position; comply with the applicable legislation and implement our recruitment rules and human resources policies. 

Personal data of the employee candidates are processed through the job application form provided in writing or in electronic environment, our Company’s electronic job application platform, applications forwarded to our Company physically or via e-mail, relations with the recruitment and consulting firms, interviews made face-to-face or in electronic environment, controls made by us about the candidate and employment tests performed by the human resources experts to evaluate the condition of the candidate in the employment process. 

Employee candidates are clarified in detail according to the LPPD with a separate document given to them before they forward their personal data to us during their job application and explicit consent is obtained from them for the required personal data processing activities.  

PROCESSING PERSONAL DATA OF THE VISITORS IN OUR OFFICES

We also provide all visitors with Internet access upon their request in order to be used during their time in our offices for the purpose of establishing security and for other purposes defined in this Policy. In such instances, log records of your Internet accesses are taken in line with the Law numbered 5651 and compulsory provisions of the legislation enacted under this law; and these records are processed only when they are requested by authorized public establishments and institutions or when it is necessary for us to fulfill our legal obligations during the audits to be made in the Company. 

In that regard, access to these log records is granted only to a limited number of ALD Automotive employees. Company’s employees having access to these records use these records only according to the orders given by authorized establishments or during audits and share them with the legally authorized persons.

HOW DO WE SHARE YOUR PERSONAL DATA?

We sometimes had to use certain business partners or suppliers for specific purposes in order to provide you with the requested services and improve your experience. In that regard, your personal data is shared only on a need-to-know basis. You may find below examples of the parties to whom we will transfer your personal data:

We may transfer your personal data to the service providers operating in the call center area (these are based in certain countries such as Brazil, Mexico, Turkey and Romania) or to the service providers providing data storage, maintenance and support services (these are based in certain countries such as India and United States) and to the providers of other tools needed in the processing of information belonging to our customers and potential customers.  

Your personal data may be transferred to the geographical partners based in Argentina, Australia, El Salvador, Honduras, Guatemala, New Zealand, Nicaragua, South Afrika and United States and for the purpose of providing you with insurance services at a global level.  

Your personal information is also shared with our internal departments including sales, customer care/quality department, marketing, IT services, support and maintenance services and with the other entities of ALD Automotive that are entitled to use your personal data only under this Policy within the ALD Automotive Group.  

Information is further shared with our service providers based in France and European Economic Area such as data storage service providers, call centers and data managers and these service providers are reminded that they shall use your personal data only according to our instructions.

Information is shared with our independent marketing partners only after your explicit consent.

Information is shared when necessary to realize the sale or transfer of the Company’s assets; during bankruptcy proceedings; when we need to enforce our rights or protect our properties or protect the rights, properties or security of others; or when it is necessary to provide support to the external audits, compliance and governance inspections.   

Table below summaries the parties to which ALD Automotive transfers personal data, gives description of these parties and details the purposes of data transfer.  

8
 

We will inform the Data Subjects about the groups of persons to whom their personal data will be transferred in accordance with Article 10 of LPPD. When we plan to transfer your personal data, we aim to ensure top level of protection for your personal data by entering into data transfer agreements prepared according to the applicable legislation with the parties to whom we will transfer your personal data. 

Certain countries receiving your personal data or having access to such data may not have laws as strict as those applicable in the country in which you transferred your data. You may obtain the list of these countries by contacting us via the e-mail address given: kvk.tr@aldautomotive.com 

FOR HOW LONG DO WE RETAIN YOUR PERSONAL DATA?

We will retain your personal data only as long as it is necessary to achieve the relevant purposes of collection. However, we determine these periods separately for each business process and we destroy your personal data in line with the requirements of LPPD if there is no other reason requiring us to store your personal data beyond the expiration of these periods.  

We are taking into account the criteria given below when we determine the periods for destruction of your personal data: 

  • The time period accepted for the specific purpose of processing the relevant data category according to general practices applicable in the sector in which the data controller is operating,
  • The time period during which legal relationship established with the data subject continues and requires the processing of personal data in the relevant data category,
  • The time period during which the legitimate interest to be obtained by the data controller depending on the specific purpose of processing the relevant data category will be valid by law and according to the rule of honesty,
  • The time period during which the risks, costs and responsibilities arising from the storage of relevant data category according to the specific purpose of processing will continue to be legally valid, 
  • Whether the maximum period to be determined is appropriate for keeping the relevant data category correct and up-to-date,
  • The time period during which the data controller is obliged to retain the personal data in the relevant data category due to its legal obligations,
  • The period of prescription determined by the data controller to raise a right arising from the personal data in the relevant data category.

HOW DO WO DESTROY YOUR PERSONAL DATA?

Although the personal data has been processed in accordance with the provisions of the relevant law in accordance with the regulation of Article 138 of the Turkish Penal Code and Article 7 of LPPD, in case the reasons for data processing are eliminated, such personal data will be deleted upon our Company's own decision or upon the request of the personal data owner in this direction. For that purpose, a Policy for the Storage and Destruction of Personal data has been developed by our Company. When our Company is entitled and/or obliged to retain the personal data in accordance with the provisions of the applicable legislation, our Company reserves its right to deny this request made by the data owner. When personal data are processed by non-automated means that are part of any data recording system and when it is necessary to delete/destroy personal data, they are physically destroyed in such manner that they could not be used again. When our Company reaches an agreement with a person or entity for the processing of personal data on behalf of us, personal data will be safely deleted in such manner that such personal data could not be used anymore by these entities. Our Company also makes the personal data which has been processed in terms of legal requirements anonymous when the processing reasons arising from such legal requirements cease to exist.  

WHAT IS THE RELATION OF THIS POLICY WITH THE OTHER COMPANY DOCUMENTS?

This Policy is accepted as a fundamental regulation prepared about the processing of personal data. The Policy has been prepared in conformity with the other policies, procedures and processes prepared by our Company with similar purposes. In the event of a conflict between the other policies, procedures and processes created by our Company with similar purposes and this Policy, this Policy shall prevail in the matters concerning processing of personal data.

ALD Automotive Turizm Ticaret A.Ş.

Kavacık Ticaret Merkezi, Rüzgarlıbahçe Mahallesi, Çam Pınarı Sokak No:1 B Blok,

Beykoz /İstanbul

Phone No: 444 88 30

WHAT HAPPENS WHEN WE REVISE THIS POLICY?

This policy may be revised from time to time in line with the amendments made to the laws and regulations relating to the processing of personal data, to the applicable legislation and to our other Company policies. We highly recommend you to regularly check this page if you want to have access to the latest information about our confidentiality practices.  

Call Us
444 88 30