1. Purpose and Scope

   
   

This Data Protection and Processing Policy (“Policy”) is prepared by PYRMD Group LTD and PYRMD Yapı ve Prodüksiyon LTD ŞTİ (“PYRMD Group Companies” or “the Company”) to establish the principles and procedures regarding the lawful processing, protection, storage, and deletion of personal data under the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

This Policy applies to all personal data processed by the Company in connection with its operations, including those of employees, clients, suppliers, contractors, visitors, business partners, and any other individuals (“Data Subjects”) whose personal data are processed.

The Company undertakes to process personal data lawfully, fairly, and transparently; to ensure their integrity and confidentiality; and to protect the rights and freedoms of individuals whose data it processes.

2. Legal Framework

   
   

The Policy is based on the provisions of the GDPR and other relevant UK and EU data protection laws.
Where applicable, it aligns with the UK Data Protection Act 2018 for processing conducted within the United Kingdom.

3. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Special Category Data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, genetic or biometric data, or sexual orientation.

Data Controller: The natural or legal person who determines the purposes and means of personal data processing (PYRMD Group LTD and PYRMD Yapı ve Prodüksiyon LTD ŞTİ).

Data Processor: A natural or legal person who processes personal data on behalf of the Controller.

Processing: Any operation performed on personal data (collection, recording, storage, alteration, retrieval, transmission, erasure, etc.).

Data Subject: Any identified or identifiable individual whose data are processed.

Supervisory Authority: The data protection authority competent under GDPR (e.g., ICO for the UK, or the relevant EU authority).

4. Principles of Data Processing

   
   

The Company processes personal data in compliance with the following GDPR principles:

Lawfulness, Fairness, and Transparency: Data must be processed lawfully and transparently.

Purpose Limitation: Collected for specified, explicit, and legitimate purposes.

Data Minimisation: Limited to what is necessary for processing.

Accuracy: Data must be accurate and kept up to date.

Storage Limitation: Retained only as long as necessary.

Integrity and Confidentiality: Secured against unauthorised or unlawful processing, loss, or damage.

Accountability: The Controller is responsible for demonstrating compliance.

5. Lawful Basis for Processing

   
   

Personal data shall be processed only where one or more of the following lawful bases apply:

Consent: The Data Subject has given explicit consent.

Contract Performance: Processing is necessary for the performance of a contract with the Data Subject.

Legal Obligation: Processing is required to comply with a legal duty.

Vital Interests: Processing is necessary to protect someone’s life.

Public Interest: Processing is carried out in the public interest or official authority.

Legitimate Interests: Processing is necessary for the legitimate interests of the Controller, except where overridden by the rights of the Data Subject.

6. Purposes of Processing

   
   

The Company processes personal data for purposes including:

Management of human resources and employment relations,

Legal, operational, and cybersecurity risk management,

Fulfilment of contractual and legal obligations,

Customer relationship management and service provision,

Marketing, event organization, and communications,

Compliance with audits, legal inquiries, and regulatory requirements,

Improvement of products, services, and business operations.

7. Data Storage and Retention

   
   

Personal data are stored securely in both electronic and physical environments.
Retention periods are defined according to:

Legal and regulatory obligations,

The necessity for business or contractual operations,

The minimisation and limitation principles under GDPR Article 5(1)(e).

Once retention periods expire, data are securely deleted, anonymised, or destroyed in accordance with the Company’s Data Retention Schedule.

8. Data Transfers

   
   

The Company may transfer personal data:

Within the European Economic Area (EEA);

To countries outside the EEA, only where adequate protection (as per GDPR Article 45) is ensured,

Or, where adequacy is not recognised, under standard contractual clauses (SCCs) or other lawful transfer mechanisms (Articles 46–49).

9. Data Subject Rights

   
   

Under Articles 12–23 of GDPR, Data Subjects have the following rights:

Right to Access: To obtain confirmation and a copy of their data.

Right to Rectification: To correct inaccurate or incomplete data.

Right to Erasure (“Right to be Forgotten”): To request deletion of personal data.

Right to Restriction: To limit processing in certain circumstances.

Right to Data Portability: To receive data in a structured, commonly used format.

Right to Object: To object to processing based on legitimate interests or direct marketing.

Rights Related to Automated Decision-Making: To avoid decisions made solely by automated means.

Requests regarding these rights can be submitted via general@pyrmdgroup.com.

The Company will respond within one month, extendable by two months in complex cases.

10. Data Security

    
    

The Company implements appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of personal data, including:

Technical Measures:

Encryption, pseudonymisation, and access control

Secure servers and firewalls

Regular penetration tests and vulnerability scans

System and data backup management

Organisational Measures:

Confidentiality and data protection clauses in contracts

Staff training and awareness programmes

Regular internal audits and compliance monitoring

Incident response and breach reporting protocols

11. Data Breach Management

    
    

In the event of a personal data breach:

The Company will notify the Supervisory Authority within 72 hours (as per GDPR Article 33).

Where the breach is likely to result in high risk to individuals, affected Data Subjects will also be informed without undue delay.

All breaches are recorded and investigated to prevent recurrence.

12. Accountability and Governance

    
    

The Company maintains comprehensive documentation demonstrating compliance with GDPR, including:

Data Processing Records (Article 30 Records),

Data Protection Impact Assessments (DPIA),

Contracts with processors incorporating GDPR clauses,

Regular compliance reviews by designated data protection officers or compliance leads.

13. Policy Review and Updates

    
    

This Policy is reviewed annually or whenever significant regulatory or organisational changes occur.
The most recent version is published on the Company’s website: www.pyrmdgroup.com

14. Contact

    
    

For any questions or requests regarding personal data: general@pyrmdgroup.com