Our Data Protection Policy

USB Certification Denetim Gözetim ve Belgelendirme Hizmetleri A.Ş. (the Company, USB Certification) processes personal data—which is regulated and safeguarded primarily by the Constitution of the Republic of Turkey and the Personal Data Protection Law No. 6698 (KVKK)—in accordance with the methods, legal basis, purposes, and conditions set forth below, and takes the utmost care and diligence in implementing all necessary administrative and technical measures to ensure their protection.

1. Data Controller

As USB Certification; acting as the data controller, we process the personal data we obtain from you in the manners specified below, as appropriate to the situation, within the scope of our business relationship with you; in a manner that is limited and proportionate to the purpose requiring such processing and in connection with that purpose; ensuring the accuracy and up-to-date status of the personal data as you have provided or as it has been reported to us, and that such data will be recorded, stored, retained, revised, shared with institutions legally authorized to request such personal data, and transferred to third parties within or outside the country under the conditions stipulated by the KVKK, classified, and processed in other forms as listed in the KVKK.

1. Purposes of Processing Personal Data

Your personal data may be processed by the Company for the purposes and legal grounds specified below, as well as for similar purposes and grounds not limited to these.

To fulfill the necessary purpose of the employment contract, specifically;

• Approval of employee leave, viewing of remaining leave balances, and management of leave arrangements
• Processing of employee termination procedures
• Ensuring the processing of payroll
• Making salary payments to employees

To fulfill the requirements under the Labor Law, the Occupational Health and Safety Law, the Social Security Law, and related legislation, as well as other laws and regulations, specifically;

• Creating employee personnel files
• Submitting SGK reports, İŞKUR reports, and police station notifications, as well as providing information on incentives and legal obligations
• Ensuring the opening of a mandatory individual pension insurance account
• Opening accounts for private/supplementary health insurance and personal accident insurance, and ensuring the necessary notifications are made
• Monitoring employee attendance records
• Calculating incentives
• Making payments related to wage garnishments for employees in enforcement cases
• Submitting legal notifications regarding workplace accidents
• Conducting occupational health and safety procedures
• Compliance with other data retention, reporting, and disclosure obligations prescribed by legislation, relevant regulatory bodies, and other authorities
• Using personal data to purchase airplane and bus tickets, make hotel reservations, and arrange car rentals for upcoming business trips and audits
• Enforcing court rulings

Due to requirements arising from the performance of customer contracts, specifically;

• Distinguishing between valid and invalid customer complaints, enhancing customer satisfaction, understanding customer needs, and ensuring the improvement of processes related to the customer
• Evaluating service quality for the customer and providing training to employees

For the management of the company, the conduct of business, and the implementation of company policies, specifically;

• Monitoring and reporting on the performance and development of company employees

• Verifying, approving, and ensuring the development and monitoring of qualifications for assigned positions
• Activating user permissions for the USB Pruva software
• Making expense reimbursements to employees
• Ensuring communication with employees
• Confirming that an employee assigned or permitted to use a vehicle is qualified to drive and has not lost their driver’s license for any reason
• Providing a vehicle to the employee
• Arranging for business card printing
• Ensuring that packages received via cargo or courier are delivered to the relevant employee
• Monitoring the use of company vehicles for employee safety and the conduct of business
• Arranging travel and visa procedures
• Creating the employee’s work email by entering their data into Outlook
• Recording documents collected during the employee’s job application and interview process
• Sharing information and/or photos on the company’s social media accounts regarding corporate events, meetings, etc., and facilitating communication for celebratory purposes
• Sharing photos of individuals for promotional purposes in the company’s printed and digital promotional materials, on the website, and across all social media platforms
• Planning training sessions, reporting on training, preparing training certificates, tracking employees who participated in completed training sessions, and monitoring employees’ development processes resulting from the training they received
• Establishing communication with relevant parties in emergency situations
• Conducting satisfaction survey analysis
• Inclusion in company communication channels and groups to ensure internal information flow

Your personal data will be retained for the maximum period necessary as specified in relevant legislation or for the purpose for which it is processed, and in any case, for the duration of the statutory limitation periods.

1. Your Processed Personal Data

As USB Certification, we may process personal data provided to us by employees regarding themselves. The personal data that may be subject to processing are as follows:

Identity Data; First name, last name, date of birth, country of birth, city of birth, gender, marital status, nationality, Turkish ID card information (TCKN, serial number, card number, father’s name, mother’s name, place of birth, province, district, neighborhood, volume number, family serial number, sequence number, household number, page number, registration number, place of issuance, reason for issuance, date of issuance, previous surname), copy of the ID card

Contact Data; Phone number, physical address, email address, internal company contact information (extension number, corporate email address)

Financial Data; Financial and salary details, pay stubs, bonus entitlements, bonus amounts, file and debt information related to enforcement proceedings, bank account statement, minimum subsistence allowance information, private/supplementary health insurance information/amount, Automatic Participation System Individual Pension System information/amount

Sensitive Personal Data; Criminal record, disability status/description/percentage, religious affiliation, health data, blood type, private/supplementary health insurance policy, health reports, pre-employment health report, chest X-ray, hearing test, vision test, pre-employment and periodic examination forms signed by the workplace physician, pregnancy status, pregnancy report, health and maternity leave information, COVID-19 vaccination card, COVID-19 PCR test result report, association/foundation memberships

Education and Qualification Data; Educational status, certificate and diploma information, foreign language proficiency, resume, courses taken, audits attended (Audit Log), Social Security Institution (SGK) information, audit reports, reference letters

Audit Data; Resume, audit report, signed audit documents

Visual and Audio Data; Photographs and video recordings of the individual

Employee Performance and Development Data; Education and skills, information on which training was completed and when, email address, signed participation form, customer audit quality assessment form, performance evaluation and goal achievement status, activity/planning information

Family and Relatives Data; Marriage certificate, spouse’s and children’s first and last names, Turkish ID Number, gender, date of birth, and copies of documents containing this information, phone number; relatives’ first and last names and phone numbers,

Employment Data; Employee ID, position title, department and unit, job title, last date of hire, hire and termination dates, social security enrollment/retirement, social security number, tax office number, status regarding flexible working hours, travel status, BAĞ-KUR enrollment date, BAĞ-KUR ID number, accounting code, number of workdays, projects worked on, monthly total working hours, seniority severance base date, additional days for seniority severance

Leave Data; Leave seniority base date, additional days for leave seniority, leave group, departure/return date, days, reason for leave, address/phone number during leave

Other; Military deferment, vehicle license plate, copy of vehicle registration, vehicle mileage information, vehicle location, copy of driver’s license, traffic violation inquiry result, intern status, employee internet access logs when connecting via the company network, entry/exit logs, entry-exit records, employee daily activity data

1. Transfer of Personal Data

To ensure your security and to fulfill our Company’s legal obligations, your personal data may be transferred in accordance with the Labor Law, the Occupational Health and Safety Law, the Social Insurance and General Health Insurance Law, the Law on the Regulation of Publications Made via the Internet and the Fight Against Crimes Committed Through Such Publications, the Turkish Commercial Code, the Law No. 6698 on the Protection of Personal Data, the Identity Reporting Law, and to the extent permitted and required by other applicable legislation, to relevant institutions or organizations; public legal entities such as the Personal Data Protection Authority, the Ministry of Finance, the Ministry of Agriculture, the Ministry of Trade, the Ministry of Labor and Social Security, and the Turkish Employment Agency (İŞKUR), as well as standard holders such as BRCGS, IFS, FSSC, Global GAP, GOTS, Textile Exchange, ISO, and other standard-setting bodies; accreditation bodies such as IOAS, DakkS, ANAB, ESYD, TÜRKAK, JAS-ANZ, NAC, ENAC, UKAS; and other certification bodies such as ASR, QMSCERT, UDEM, AKSSERT, NSF, ACERTA, and Q-Check. Additionally, your personal data may be shared with;

To fulfill the necessary purpose of executing the employment contract, specifically;

• For the purpose of conducting payroll operations and updating relevant data, it may be shared with an accounting and financial consulting firm.

To comply with the requirements under the Labor Law, the Occupational Health and Safety Law, the Social Security Law, and related legislation, as well as other laws and regulations, specifically;

• Your data may be shared with the consulting firms we work with regarding the determination and calculation of incentives.
• Your health data may be shared with the occupational physician to enable treatment and health check-ups.
• Your occupational physician’s medical opinion report, your COVID-19 vaccination card, and your PCR test result report may be shared with third-party organizations upon request.

To ensure security within the company, specifically;

• Access logs may be shared with building management for the purpose of monitoring entry and exit for workplace safety.

To verify qualifications, specifically;

• Your resumes may be shared.
• Reference letters you have received from previous employers may be shared.
• Audit logs of inspections you attended both prior to and during your employment at USB Certification may be shared.
• Upon request, your complete historical Social Security Institution (SGK) service records may be shared.
• Certificates from training programs you attended both previously and at USB Certification, as well as audit reports from inspections you conducted, may be shared.

To fulfill our legal obligations, particularly;

• To exercise our right to defense, your personal data may be shared with our attorneys and with relevant authorities to comply with legal requests such as court orders or requests for evidence, provided such sharing is in accordance with the law and proper procedure.

For the management of the company, the conduct of business, and the implementation of company policies, particularly;

• To ensure our internal operations with companies we are affiliated with or collaborate with, your personal data may be shared with such companies.
• The necessary personal data may be shared with companies we work with regarding matters such as transportation, travel, visa procedures, vehicle procurement, and business card printing.

In business transactions and operations conducted abroad;

• Your personal data may be shared with third parties abroad to facilitate communication during overseas travel and training, organize travel arrangements, and enable bulk email campaigns.

1. Method of Collection and Legal Basis for Personal Data

As an employer, to fulfill our legal obligations, to execute the employment contract between us, for reasons stipulated by law, and in accordance with the Company’s legitimate interest, we may request from you, we collect your personal data—which is included in your resume or other text you share regarding your application, whether we previously requested it through our platform or platforms where we post job listings, or you chose to share it with us during your job application—by you transmitting it to us via physical or electronic means and by you storing information accessible to multiple users on the Company’s computer programs, applications, and servers or on the internet.

In accordance with the Company’s legitimate interest in managing its operations, we collect data regarding your entry and exit times by monitoring them; we also collect data related to the tracking of vehicle and fuel usage provided to you for the purposes of ensuring workplace safety and fulfilling our legal obligations, through tracking devices installed in Company-owned vehicles.

To fulfill our legal obligations and as required by law, we collect your health data in physical form, and to ensure workplace safety, we collect your personal data in physical or electronic form.

We collect data through legal documents and notifications sent to us to fulfill our legal obligations.

1. Rights Regarding the Protection of Personal Data

Pursuant to Article 11 of the KVKK, regarding your personal data and special category personal data:

1. The right to inquire whether your data has been processed
2. The right to request information if processed
3. The right to learn the purpose of processing and whether it is being used in accordance with that purpose
4. The right to know the third parties to whom your data has been transferred within or outside the country
5. Requesting correction if processed incompletely or incorrectly, and requesting that this action be notified to third parties to whom the personal data has been transferred
6. Requesting erasure/destruction within the framework of the conditions set forth in Article 7 of the KVKK
7. Requesting that the third parties to whom your data has been transferred be notified of the actions taken pursuant to subparagraphs (d) and (e) above
8. Objecting to a decision made solely through automated systems that results in adverse consequences for you
9. Requesting compensation for any damage you may have suffered due to unlawful processing

You have the right to make such requests.

1. Method of Submitting a Request to the Company

As a data subject, you may submit requests regarding the rights listed above to USB Certification by personally submitting a written request to the Company’s address listed below, through a notary public, using a registered email address, or via other methods determined by the Personal Data Protection Board.

Data Controller: USB CERTIFICATION AUDIT, SUPERVISION, AND CERTIFICATION SERVICES INCORPORATED

Address: İsmet Kaptan Mah. Hürriyet Blvd. No:4/1 D:23 Kavala Plaza Çankaya/Konak/Izmir

MERSIS No.: 0894080709400001

KEP Address: usb@hs01.kep.tr