Copper Casting, casting machine, upcast machine, Upcasting, copper, melting, copper melting, continuous casting, upward casting,copper wire, wire rod, oxygen-free copper, wire drawing, casting facility, casting line, induction furnace, copper wire machine, upcasting, copper processing line, melting system, high conductivity copper, copper production technology, copper forming, non-ferrous metal processing, conductive copper production, oxygen-free copper

copper wire annealing, copper rod, copper processing, copper refining, copper rod casting line, upcast machine, continuous casting line, upcasting line, casting furnace, melting furnace, induction furnace, annealing furnace, casting plant, copper wire machine, rod casting machine, melting plant, system design, channel induction furnace, heat treatment line, rod, copper rod, copper cable, casting technology, metal processing technology, upcasting technology, industrial melting, high-purity copper, casting quality, low-oxygen copper

4000 TPA, 8000 TPA, 12000 TPA, 18000 TPA,inductor,copper ring, automatic coiling system, copper casting simulation, cable industry, industrial furnace, production engineering, high-capacity production, casting solutions, collector, drawing unit, industrial power systems, engineering technology, 8000 TPA CP, 10000 TPA, melting and holding furnace, holding furnace, aluminum casting, aluminum, aluminum casting, brass, brass casting, cathode, copper cathode, copper bale, copper

  • tr
  • EN
  • ru
Get a Quote

Data Breach Response Plan

DATA BREACH RESPONSE PLAN

1. PURPOSE

The purpose of this Plan is to define the roles and responsibilities and to regulate the procedures and principles regarding matters such as determining who is responsible within PROTON OTOMASYON ELEKTRİK MAKİNA İNŞAAT TAAHHÜT SANAYİ VE TİCARET LİMİTED ŞİRKETİ (“PROTON”), particularly including all other affiliated subsidiaries and other companies within its structure, as the data controller, in terms of to whom reporting will be made internally, the notifications to be made within the scope of the Law, and the evaluation of the possible consequences of the data breach, in the event that personal data processed for the purpose of protecting the fundamental rights and freedoms of individuals, primarily the privacy of private life, preventing the unlawful processing of personal data, preventing unlawful access to personal data, and fulfilling the obligations to take all necessary technical and administrative measures to ensure the appropriate level of security in order to ensure the retention of personal data, are obtained by others through unlawful means.

2. SCOPE

The scope of this Plan includes the employees who are in charge of processing personal data processed by PROTON in physical or electronic environments

3. DEFINITIONS

In the application of this Plan;
a) Explicit consent: Consent regarding a specific subject, based on information and expressed with free will,
b) Data subject: The natural person whose personal data are processed,
c) Law: The Personal Data Protection Law No. 6698,
d) Personal data: Any information relating to an identified or identifiable natural person,
e) Processing of personal data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, or prevention of use thereof, either wholly or partly by automated means or by non-automated means provided that the data are part of a data filing system,
f) Board: The Personal Data Protection Board,
g) Special categories of personal data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and attire, membership to associations, foundations or trade-unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data (the expression “personal data” used hereinafter in this Agreement also covers special categories of personal data to the extent appropriate),
h) Plan: The PROTON Data breach response plan,
i) Data breach: Personal data processed by the data controller being obtained by others through unlawful means,
j) Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller,
k) Data filing system: The registration system where personal data are structured and processed according to specific criteria,
l) Data controller: The natural or legal person who determines the purposes and means of processing personal data and who is responsible for the establishment and management of the data filing system.

4. DATA BREACH

Pursuant to paragraph 5 of Article 12 of the Law, it is the obtaining of personal data processed by PROTON by others through unlawful means.
In addition to the definition above; the occurrence of a security breach that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, and/or access to personal data transmitted, stored, or processed will also be qualified as a Data Breach within the scope of the Plan.

5. OBJECTIVES

In the event of a Data Breach, the objectives of PROTON within the framework of the Plan are:
1. To investigate the incident causing the Data Breach internally before all relevant departments (in cooperation with law enforcement forces and other public institutions and organizations where necessary),  
2. To detect the source of the Data Breach,  
3. To detect the personal data categories affected by the Data Breach,  
4. To detect the groups of persons/parties affected by the Data Breach,  
5. To detect the current and likely potential impacts suffered by the parties affected by the Data Breach and to ensure that the damages arising from these impacts, if any, are minimized to the utmost extent, 
6. To detect the dimensions of the impacts on PROTON's organization, commercial loss, reduction in operations, reputational losses, and/or financial damages as a result of the Data Breach and to ensure that they are minimized in accordance with the law, 
7. To detect the time of recovery after the Data Breach, 
8. If there is a cyber-attack;
a. To detect whether information systems are affected by the cyber-attack,
b. To detect the breach element occurring as a result of the attack,
c. To detect the impacts of the cyber-attack on PROTON's organization, and the time of recovery after the cyber-attack,
9. To determine the steps taken to prevent the recurrence of the breach and to calculate approximately how much time it will take to complete them,
10. To notify the incident causing the Data Breach or the loss arising as a result of the incident;
a. In accordance with the Law, to the Board within 72 hours,
b. To the data subjects affected by the Data Breach through appropriate methods as soon as possible,
c. To the employees as soon as possible,
d. If necessary, to other organizations or institutions located in the country within the period in compliance with the relevant legal obligations,
11. To other data protection authorities or relevant institutions located abroad within the period in compliance with the relevant legal obligations,
12. To organize an internal audit, arrange training activities, and ensure internal communication after the incident leading to the Data Breach in order to minimize possible Data Breaches against the possibility of occurring in the future;
13. To record information regarding data breaches, their impacts, and the measures taken, and to keep them ready for the review of the Board.

6. OFFICERS AND RESPONSIBILITIES

In the event of a Data Breach, the departments in charge within PROTON pursuant to this Plan shall be determined according to the nature of the incident causing the Data Breach; however, in any case, at least one representative from each of the departments listed in the table below will be assigned. The responsibilities of the representatives are also specified in the same table.

OFFICERS AND THEIR RESPONSIBILITIES WITHIN THE SCOPE OF THE DATA BREACH RESPONSE PLAN
 
Department in Charge Responsibilities in Case of a Data Breach
Data Protection Officer 1. To investigate the incident causing the Data Breach internally before all relevant departments (in cooperation with law enforcement forces and other public institutions and organizations where necessary).  
2. To detect the source of the Data Breach.  
3. To detect the personal data categories affected by the Data Breach.  
4. To detect the groups of persons/parties affected by the Data Breach.
5. To detect the current and likely potential impacts suffered by the parties affected by the Data Breach and to ensure that the damages arising from these impacts, if any, are minimized to the utmost extent.  
6. To detect the dimensions of the impacts on PROTON's organization, commercial loss, reduction in operations, reputational losses, and/or financial damages as a result of the Data Breach and to ensure that they are minimized in accordance with the law.  
7. To detect the time of recovery after the Data Breach.  
8. To determine the steps taken to prevent the recurrence of the breach and to calculate approximately how much time it will take to complete them.  
9. To notify the incident causing the Data Breach or the loss arising as a result of the incident to the Board within 72 hours in accordance with the Law.  
10. To notify other data protection authorities or relevant institutions located abroad within the period in compliance with the relevant legal obligations.  
11. To record information regarding data breaches, their impacts, and the measures taken, and to keep them ready for the review of the Board.  
12. To organize an internal audit, ensure the arrangement of training activities, and ensure internal communication after the incident leading to the Data Breach in order to minimize possible Data Breaches against the possibility of occurring in the future.  
13. In the event that personal data held by the data processor are obtained by others through unlawful means, to ensure that the necessary notification is still made to the Board in case the data processor notifies the data controller without any delay in this regard.  
14. To ensure that the Plan is reviewed every 6 (six) months from the effective date.
IT Department In the event that the data breach occurs via a cyber-attack or any other electronic means:  
1. To detect whether information systems are affected by the Data Breach.  
2. To detect the breach element occurring as a result of the Data Breach.  
3. To detect the impacts of the Data Breach on PROTON's organization.  
4. To detect the time of recovery after the Data Breach.
HR Department 1. To detect whether the data breach has been carried out by an employee of PROTON.  
2. To detect whether PROTON employees are affected by the Data Breach.  
3. To detect the breach element occurring as a result of the Data Breach, the impacts of the Data Breach on PROTON's organization, and the time of recovery after the Data Breach.  
4. To prepare training activities and carry out internal communication after the incident leading to the Data Breach.  
5. To notify the incident causing the Data Breach or the loss arising as a result of the incident to the employees as soon as possible. 
6. To carry out the internal audit after the incident leading to the Data Breach.  
7. To notify the incident causing the Data Breach or the loss arising as a result of the incident to the data subjects affected by the Data Breach through appropriate methods as soon as possible.  
8. If necessary, to notify other organizations or institutions located in the country within the period in compliance with the relevant legal obligations.

7.  NOTIFICATION

Notification by the Data Controller

Data Breach notifications must be made to the Board and to the persons affected by the breach in order to ensure that measures allowing the prevention or minimization of adverse consequences that may arise regarding the persons affected by the breach are taken as soon as possible. Pursuant to this Plan prepared in line with the Decision of the Board dated 24.01.2019 and numbered 2019/10 in this regard, PROTON is required to:
1. Notify the Board without delay and within 72 hours at the latest from the date it learns of the Data Breach,  
2. Following the determination of the persons affected by the said data breach, notify the relevant persons within the shortest reasonable time, directly if the contact address of the relevant person can be reached, or through appropriate methods such as publishing it on the data controller's own website if it cannot be reached,  
3. In case a notification cannot be made to the Board within 72 hours due to a justified reason, explain the reasons for the delay to the Board along with the notification to be made, 
4. Use the Personal Data Breach Notification Form located at the address “https://ihlalbildirim.kvkk.gov.tr/” in the notification to be made to the Board,  
5. Read the “Personal Data Breach Notification Form (Internet) Guide” at the same address in case the “Personal Data Breach Notification Form” located at the address https://ihlalbildirim.kvkk.gov.tr/ is used in the notification to be made to the Board,  
6. In cases where it is not possible to provide the information contained in the form at the same time, provide this information gradually without causing any delay, and
7. Record information regarding data breaches, their impacts, and the measures taken, and keep them ready for the review of the Board.
PROTON executes all transactions listed above regarding notification through its units specified in Article 5 of this Plan and given in detail in the table within the same article. 

Principles of Notification to the Data Subject

In line with the Decision of the Personal Data Protection Board dated 18.09.2019 and numbered 2019/271, the notification to be made to the data subjects who are affected or suspected to have been affected by the data breach will be made in a clear and plain language and the notification will contain at least the following elements:
1. When the breach occurred,  
2. Which personal data are affected by the breach on the basis of personal data categories (by making a distinction between personal data / special categories of personal data), 
3. Possible consequences of the personal data breach,  
4. Measures taken or proposed to be taken to reduce the adverse impacts of the data breach,  
5. The names and contact details of the contact persons who will enable the data subjects to obtain information regarding the data breach, or the full address of the website of the data controller, call center, etc. communication channels. 

Notification by the Data Processor

In the event that personal data held by the data processor are obtained by others through unlawful means, the data processor must notify PROTON, which is the data controller, without any delay in this regard. Following the notification of the data processor, notification will be made to the Board by PROTON by following the process in Article 6 of the Plan.

Cross-Border Data Breach

In the event that the data breach occurs before a data controller resident abroad, if the consequences of this breach affect data subjects resident in Türkiye and the data subjects benefit from the products and services offered in Türkiye, notification will also be made to the Board by this data controller within the framework of the principles specified in Article 6 of the Plan.

8. EFFECTIVENESS AND REVIEW OF THE PLAN

This Plan prepared by PROTON is valid from the date it enters into force in line with the decision taken by the management body. This Plan, which is prepared and put into effect, is reviewed periodically once a year.

9. UPDATE TABLE

The changes made in this Plan are listed in the table below.
 
UPDATE DATE/VERSION SCOPE OF UPDATES