We –as RGS SA and RGS AS- are aware of our responsibility to protect personal data, security of which is considered as a basic human right and we place importance on privacy and security of your personal data.

This policy sets out our commitment to ensuring that any personal data, including special category personal data, which we process, is carried out in compliance with EU General Data Protection Regulation (GDPR), Personal Data Protection Law of Turkey (KVKK) and all the relevant Turkish and EU data protection legislation. We will call all these acts, regulations and relevant legislation “data protection law”.

As RGS SA & RGS AS, we ensure that all the personal data processing is done in accordance with “data protection law” and good data protection practice is imbedded in the culture of our staff and our organisation.

This policy applies to all personal data collecting, processing and transferring activity carried out by RGS and is part of RGS compliance with “data protection law”.

All RGS staff are expected to comply with this policy and failure to comply with this policy may lead to disciplinary action for misconduct, including dismissal.

Our Data Processing Principles

Lawfulness, fairness and transparency: We process your personal data lawfully, fairly and in a transparent manner.

Purpose limitation: We collect your personal data for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Data minimisation: Personal data is all adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy: Personal data is all accurate and, where necessary, kept up to date and that reasonable steps will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage limitation: We keep your personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

Integrity and confidentiality: We process your personal data in a manner that ensures appropriate security of the personal data by using appropriate technical or organisational measures including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Accountability: We are responsible for, and are able to demonstrate compliance with all principles above.

We may collect your personal information as an individual for various purposes, such as the following:

Contacting employees of our clients, prospects, partners and suppliers

In our relationship with clients or prospects, partners and suppliers, they also provide us with business contact information (such as name, business contact details, position or title of their employees, contractors, advisors and authorized users) for purposes such as contract management, fulfilment, delivery of our services, provision of support, invoicing and management of the services or the relationship.

Responding to your request for information, services, or support

When you contact us (online or offline) in connection with a request for information, to order a service, to provide you with support, we collect information necessary to fulfil your request, to grant you access to the service or to provide you with support and to be able to contact you.

Access and use of websites or other online service

When entering one of our website, or using an online service, we will record information necessary to provide you with access, for the operation of the website and for us to comply with security and legal requirements in relation to operating our site, such as passwords, IP address, date/time of connection and browser settings. We also collect information about your activities during your visit in order to personalize your website experience, such as recording your preferences and settings, and to collect statistics to help us improve and further develop our websites, products and services. For further information you can check our RGS Online Privacy Statement.

Your use of our VGS services

We collect information about your use of VGS services to enable product features to operate, improve your user experience, tailor our interactions with you, inform our clients on the overall use of the services, provide support and improve and develop our products and services. For details regarding the technologies we employ, the personal information we collect, as well as how to control or block tracking or to delete cookies, please refer to the RGS Online Privacy Statement.

Visitor information

We register individuals visiting our sites and locations (name, identification and business contact information) and use camera supervision for reasons of security and safety of persons and belongings, as well as for regulatory purposes.

Our Employees

We collect and use our employee’s personal data, to plan and execute human resources activities, to conduct occupational health and safety measures, to fulfil our legal obligations due to Labour Law and employment contract.

We process special category of personal data only for our employees.

·         We obliged to get health reports due to Labour Law and keep it in employee’s personnel file

·         We will need “Sick Leave Details” due to Labour Law

·         For all employees we need to get criminal records and keep it in employee’s personnel file due to our legal obligations

·         We will get blood type information of our employees for occupational health and safety measures.

·         We will get health reports for occupational health and safety measures.

Purposes of Data Processing

Your personal data is processed for the purpose of;

·         entering into a contract with you,

·         performing our contract,

·         ensuring customer satisfaction,

·         maintaining our commercial reputation,

·         resolving disputes,

·         preventing fraud (monitoring and control of our systems, credit card payments, determining the validity of your card)

·         business performance and development,

·         the safety and security of our employees and guests, monitoring food safety and cleanliness, monitoring any accidents and undesirable situations, preventing crime and detecting crime (using security cameras and call recording system)

·         marketing of our products and services,

·         conducting our business in accordance with the legal regulations.

Terms of Processing of Personal Data and Our Purposes for Data Processing in Accordance with Them

Personal data may be processed

·         in order to meet legal obligations. In this context, your personal data is processed in order to fulfil our legal obligations.

·         if processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

·         if processing is necessary in order to protect the vital interests of the data subject or of another natural person

·         if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

·         if processing is necessary for the purposes of the legitimate interests pursued by us, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data

Other than those mentioned above RGS only process your personal data with your explicit consent.

RGS has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues. RGS implements appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

Use of techniques such as data minimization and pseudonymisation will be considered where applicable and appropriate.

Privacy by Default

RGS implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

In accordance with the terms of processing of personal data and our purposes of processing data above, your personal data is transferred to;

Authorized public institutions to fulfil our duties in accordance with our contract with you as Only Representative.

Authorized public institutions and security forces to fulfil our legal obligations, as stipulated by law,

Our suppliers and other real persons and private legal entities in order to continue our commercial activities, to fulfill the requirements of our contracts and to protect our legitimate interests. The main ones are; our processors who are responsible for our ICT infrastructure, payment providers, IT service providers, legal service providers.

Transferring European Citizen Personal Data Outside the European Economic Area (RGS SA)

In accordance with GDPR, we transfer your data to outside the European Economic Area only if one of the conditions below is met:

·         If the country we transfer your data has adequate protection due to European Comission decision.

·         If the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. These safe guards are provided by

o    standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) of GDPR;

o    binding corporate rules in accordance with Article 47 of GDPR;

o    a legally binding and enforceable instrument between public authorities or bodies;

RGS SA may need to send personal data of customer employees in order to perform the contract signed between them in accordance with Art.49 Sec. 1 lit. b GDPR.

Transferring Turkish Citizen Personal Data Abroad (RGS AS)

In accordance with KVKK we transfer the Turkish citizens data abroad only with a contract that includes standard contractual clauses Turkish Data Protection Authority proposes or with explicit consent of the data subjects.

RGS takes all kinds of administrative and technical measures to ensure the security of your personal data under an information security management system application. As administrative measures;

•  Personal data security policies and procedures have been established, monitoring of personal data security is carried out by senior management,

•  Personal data is not processed except for its purpose, personal data is minimized as much as possible,

•  An authorization matrix has been established for employees,

•  Confidentiality commitments are made with employees,

•  Contracts signed with suppliers and other persons transferred data include data security provisions,

•  Necessary security measures are taken regarding entry and exit to physical environments containing personal data,

•  Physical environments containing personal data are provided for safety against external risks (fire, flood, etc.).

As technical measures;

•  Cyber security is seen as a whole and digital environments that contain physical infrastructures, applications and information are constantly monitored,

•  Intrusion detection and prevention systems are used,

•  User account management and authorization control system is applied,

•  Firewalls are used,

•  Current anti-virus software is used,

•  Access logs to information systems are kept in such a way that there is no user intervention,

•  Personal data is backed up and stored, and they are secured.

RGS does not need to appoint a DPO(Data Protection Officer) regarding the GDPR Article 37. But we -as RGS- consider data privacy as one of our main concern we appoint a DPO to handle following tasks.

Data Protection Officer have at least the following tasks:

·         to inform and advise RGS and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

·         to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

·         to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to GDPR Article 35;

·         to cooperate with the supervisory authority;

·         to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in GDPR Article 36, and to consult, where appropriate, with regard to any other matter.

For DPO ( Data Protection Officer) to do its duties and tasks;

RGS ensures that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

RGS supports the data protection officer in performing the tasks referred above by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.

RGS ensures that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by RGS for performing his tasks. The data protection officer shall directly report to the highest management level of RGS.

Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights.

The data protection officer may fulfil other tasks and duties. RGS ensures that any such tasks and duties do not result in a conflict of interests.

The data protection officer is bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union Law, Belgium Law and Turkish Law.

You have the right to withdraw any explicit consent we receive from you regarding our data processing purposes that require your explicit consent. In addition, within the scope of the rights granted to you by the legal regulations, you have the right;

•  to find out if your personal data has been processed, to request information if your personal data has been processed,

•  to find out the purpose for which your personal data is processed and whether it is being used in accordance with its purpose,

•  to know the third parties to whom your personal data is transferred at home or abroad,

•  request that your personal data be corrected if your personal data is incomplete or improperly processed, request that they be deleted or destroyed in accordance with the terms set forth in the Act, and request that such transactions be reported to third parties to whom your personal data is transferred,

•  object to an outcome against you by analysing your processed data, especially through automated systems,

•  to claim damages if you suffer losses due to unlawful processing of your personal data.

We have taken every precaution to make your rights available. However, in accordance with the Rescript on the Procedures and Principles of Applying to the Data Officer published by the Personal Data Protection Board, it was deemed mandatory to have the following information in your application:

• name, surname and signature if the application is written,
• nationality, ID Card Number, passport number or if any identification number
• principal settlement or if any workplace address of notification
• if any e-mail to the notification address, phone and fax number,
• subject to request.

You can prepare a petition containing the above information yourself, or you can exercise your rights by using the application form you will obtain from our website of www.reach-gs.eu

Applications that do not contain incomplete information will be finalised in accordance with the law and the rules of honesty, not exceeding 30 days. If there is incomplete information in the application, additional information will be requested from you and your application will be answered.

It is possible to submit your application by choosing one of the following 5 methods.

Applying in person: You can apply at our addresses above in person by verifying your identity or by submitting a proxy. The application may also be with an application form or a petition, but must be signed wet.

Application by Mail: You can apply by posting a wet signed application form or petition to the address above. If the application was made through a proxy, the original document of attorney must also be placed in the envelope.

Application by Notary: You can apply to the addresses above in person or through the proxy through the notary. In this application, it should be specified by which method the answer is requested.

Application via Registered Electronic Mail (KEP): You can apply by email to ..... Unless otherwise stated, the answer will still be sent to your KEP address.

Application by e-mail: If your e-mail address has been processed by us before, the application can also be done by e-mail to our e-mail address of kvkk@rgs-eu.com.tr

The answer to the application is done by the method used in the application unless otherwise stated. If you request, a reply can be sent with any of the above methods.

Applications are free of charge. However, if we need a cost to respond, a fee may be charged according to the tariff set by the Personal Data Protection Board. According to the request, if it is understood that there was a fault of RGS SA, the fee will be refunded.