Personal Data Protection and Processing Policy


Personal Data Protection and Processing Policy

AMES EUROPE TEKSTİL SANAYİ VE TİCARET ANONİM ŞİRKETİ

PERSONAL DATA PROTECTION AND PROCESSING POLICY

Approved by the Directors Board.

Effective Date: 28/02/2023

INDEX

1. ABBREVIATONS AND CONCEPTS     

2. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

3. ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

4. CATEGORIZATION, PROCESSING PURPOSES AND STORAGE PERIODS OF PERSONAL DATA PROCESSED BY THE DATA CONTROLLER

5. CATEGORIZATION OF THE OWNERS OF THE PERSONAL DATA PROCESSED BY THE DATA CONTROLLER

6. THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED BY THE DATA CONTROLLER AND THE PURPOSES OF TRANSFER         

7. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW        

8. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA       

9. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY FOR THE EXERCISE AND EVALUATION OF THESE RIGHTS        

10. THE RELATIONSHIP OF THE DATA CONTROLLER'S POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA WITH OTHER POLICIES

ABBREVIATIONS AND CONCEPTS

KVKK/Law

Personal Data Protection Law No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677
GDPR EU (European Union) General Data Protection Regulation
Constitution The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709, published in the Official Gazette dated 9 November 1982 and numbered 17863
Data Processor Except for the person or unit responsible for technical storage, protection and backup of the data, the person who processes personal data outside the organization of the data controller and in line with the authorization and instruction received from the data controller.
Data Owner/Data Subject Natural persons whose personal data are processed, such as operational transactionss, customers, business partners, shareholders, officials, potential customers, candidate operational transactionss, interns, visitors, suppliers, operational transactionss of the institutions with which the Company is affiliated, and third parties and other persons, including but not limited to those listed herein.
Data Controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. For the purposes of this Policy, Ames Europe Tekstil Sanayi ve Ticaret Anonim Şirketi will hereinafter be referred to as the Data Controller.
Open Consent Consent on a specific issue, based on information and freely given.
Disposal Deletion, disposal or anonymization of personal data.
Storage/Recording Environment Any environment in which personal data processed by fully or partially automated or non-automated means, provided that it is part of any data recording system.
Personal Data Any information relating to an identified or identifiable natural person.
Sensitive Personal Data Personal data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Processing of Personal Data Any operation performed on personal data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Anonymization of Personal Data Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Deletion of Personal Data The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way.
Disposal of Personal Data The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way.
Periodic Disposal Deletion, destruction or anonymization to be carried out ex officio at recurring intervals in the event that all of the conditions for processing personal data specified in the Law are eliminated.
Regulation Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017 and numbered 30224 and entered into force as of January 1, 2018.
PDP Board / Board Personal Data Protection Board
PDP Authority Personal Data Protection Authority
Policy Data Controller Personal Data Protection and Processing Policy
Turkish Penal Code Turkish Penal Code dated September 26, 2004 and numbered 5237; published in the Official Gazette dated October 12, 2004 and numbered 25611.
Obligation to Inform The data controller shall inform the relevant persons about the identity of the Data Controller, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the data subject listed in Article 11 of the KVKK.
Data Controllers Registry Information System (VERBIS) It is a data registry system created by the Board Presidency under the supervision of the Board, where data controllers register and declare information about their data processing activities.

1. INTRODUCTION

1.1. Objective

As the Data Controller, we are aware of our responsibility for the protection of personal data, which is regulated as a constitutional right, and taking it under legal guarantee, and we give importance to the safe use of your personal data.

The purpose of this policy is to regulate the methods and principles to be followed by Ames Europe Tekstil Sanayi ve Ticaret Anonim Şirketi to ensure that it processes and protects personal data in accordance with the Law on the Protection of Personal Data (KVKK) published in the Official Gazette dated April 7, 2016 and numbered 29677.

In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by the Data Controller and to protect all rights of personal data owners arising from the legislation on personal data.

1.2. Scope

This policy applies to the activities carried out by Ames Europe Tekstil Sanayi ve Ticaret Anonim Şirketi for the processing and protection of all personal data.

This policy covers natural persons whose personal data are processed by the Data Controller through automatic or non-automatic means, provided that they are part of any data recording system. This Policy does not apply to legal entities and legal entity data in any way.

Groups of Persons Whose Data are Processed under the Policy
Operational transactions
Supplier Operational transactions
Potential Product or Service Purchaser
Supplier Representative
Product or Service Purchaser
Shareholder/Partner
Parent / Guardian / Representative
Operational transactions Candidate
Visitor
Intern
Public Official
Operational transactions Relative
Workplace Doctor
Doctor
Occupational Health and Safety Specialist
Party to Lawsuit, Enforcement Case
Website Visitors

The entire scope of application of this Policy will cover all of the personal data owners in the above-mentioned categories of the relevant group of persons; some of its provisions may only be directed to certain groups of relevant persons.

This policy is implemented by the Data Controller in the activities carried out for the processing and protection of all personal data, together with the relevant detailed data procedures.

1.3. Implementation of the Policy and Related Legislation

Within the scope of this Policy, the relevant legal regulations and data security principles in force in the national legislation on the processing and protection of personal data will primarily apply. In case of incompatibility between the legislation in force and the Policy, the Data Controller agrees that the legislation in force will be applied.

2. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the KVKK, the Data Controller takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to carry out or have the necessary audits carried out within this scope.

2.1. Ensuring the Security of Personal Data

2.1.1. Technical and Administrative Measures Taken to Ensure the Processing of Personal Data in Accordance with the Law, to Prevent Unlawful Access to Personal Data and to Store Personal Data in Secure Environments

Subject to the confidentiality of personal data, the Data Controller takes technical and administrative measures in accordance with the technological possibilities and the cost of implementation in order to ensure the appropriate level of security in order to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent its loss and destruction, to ensure its storage and preservation in secure environments.

2.1.1.1. Technical Measures Taken to Ensure the Processing of Personal Data in Accordance with the Law, to Prevent Unlawful Access to Personal Data and to Store Personal Data in Secure Environments

The main technical measures taken by the Data Controller, subject to personal data confidentiality, to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent loss and destruction, to ensure the appropriate level of security in order to ensure storage and preservation in secure environments are listed below:

Technical Measures
Network security and application security are ensured
A closed system network is used for personal data transfers through the network
Key management is in place
Security measures are taken within the scope of procurement, development, and maintenance of information technology systems
Security of personal data stored in the cloud is ensured
Access logs are kept regularly
Corporate policies on access, information security, use, storage, and disposal have been prepared and implemented
Data masking measures are applied when necessary
Up-to-date anti-virus systems are used
Firewalls are used
Personal data is backed up and the security of the backed-up personal data is also ensured
User account management and authorization control system is implemented and monitored
Log records are kept without user intervention
Intrusion detection and prevention systems are used
Cyber security measures have been taken and their implementation is constantly monitored
Encryption is performed
Sensitive personal data transferred in portable memory, CD, DVD media are transferred by encrypting the data
Data loss prevention software is used

2.1.1.2. Administrative Measures Taken to Ensure the Lawful Processing of Personal Data, to Prevent Unlawful Access to Personal Data and to Store Personal Data in Secure Environments

The main administrative measures taken by the Data Controller, subject to personal data confidentiality, to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent loss and destruction, to ensure the appropriate level of security in order to ensure that it is stored and stored in secure environments are listed below:

Administrative Measures
Disciplinary arrangements are in place for operational transactionss that include data security provisions
Training and awareness activities on data security for operational transactionss are carried out at regular intervals
An authorization matrix has been created for operational transactionss
Confidentiality commitments are made
Operational transactionss who change their position or leave their job are de-authorized in this area
The signed contracts contain data security provisions
Extra security measures are taken for personal data transferred via paper and the relevant document is sent in a confidential document format
Personal data security policies and procedures have been determined
Personal data security issues are quickly reported
Personal data security is monitored
Necessary security measures are taken for entering and exiting physical environments containing personal data
Physical environments containing personal data are secured against external risks (fire, flood, etc.)
Security of environments containing personal data is ensured
Personal data is minimized as much as possible
Internal periodic and/or random audits are conducted and commissioned
Existing risks and threats have been identified
Protocols and procedures for the security of sensitive personal data have been determined and implemented
Awareness of data processing service providers on data security is ensured

2.1.2. Supervision of Measures Taken for the Protection of Personal Data

In accordance with Article 12 of the KVK Law, the Data Controller conducts or has the necessary audits carried out within its own organization. The results of the measure audit carried out within the scope of the audit activities required to fulfill the obligations of the legal regulations that constitute the personal data protection planning are reported to the relevant department within the scope of the internal functioning of the Data Controller and necessary activities are carried out to improve the measures taken.

2.1.3. Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

The Data Controller has the obligation to protect the personal data it processes against unauthorized access, illegal processing, disclosure, loss and alteration. In the event that the personal data processed in accordance with Article 12 of the KVKK is obtained and used by unauthorized others through unlawful means, it carries out the system that ensures that this situation is notified to the relevant personal data owner and the PDP Board as soon as possible.

2.2. Observing the Rights of the Data Subject; Creating Channels to Communicate These Rights to the Data Controller and Evaluating the Requests of Data Subjects

The Data Controller carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.

If personal data owners submit their requests regarding their rights listed below in writing to us, the Data Controller, will finalize the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the rate schedule determined by the PDP Board will be charged to the applicant data owner.

Personal data owners;

  • Learn whether personal data is being processed,
  • Request information if their personal data has been processed,
  • To learn the purpose of processing personal data and whether they are used in accordance with their purpose
  • To know the third parties to whom personal data are transferred domestically or abroad,
  • To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • Although it has been processed in accordance with the provisions of the KVKK and other relevant laws, to request the deletion or disposal of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
  • In case of damage due to unlawful processing of personal data, it has the right to demand the compensation of the damage.

2.3. Protection of Sensitive Personal Data

KVKK shows great importance to certain sensitive personal data due to the risk of causing victimization or discrimination in case of unlawful processing.

These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

The Data Controller acts sensitively in the protection of special categories of personal data, which are determined as "special categories" by the KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by the Data Controller for the protection of personal data are carefully implemented in terms of special categories of personal data and necessary audits are provided within the Data Controller and a Policy on Processing and Protection of Special Categories of Personal Data is also established.

2.4. Awareness Raising and Audit of Business Units on Protection and Processing of Personal Data

The Data Controller ensures that the necessary trainings are organized for the business units in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data.

Necessary systems are established to ensure that the existing operational transactionss of the business units of the Data Controller and the operational transactionss who are newly included in the business unit are aware of the protection of personal data, and if necessary, professional persons are hired.

The results of the trainings conducted to increase the awareness of the business units of the Data Controller on the protection and processing of personal data are reported to the Data Controller. In this direction, the Data Controller evaluates the participation in the relevant trainings, seminars and information sessions and conducts or has the necessary audits carried out. As the Data Controller, the trainings carried out by us are updated and renewed in parallel with the updating of the relevant legislation.

3. ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

The Data Controller, in accordance with Article 20 of the Constitution and Article 4 of the KVKK, in the processing of personal data; in accordance with the law and good faith; accurate and up to date when necessary; pursuing specific, clear and legitimate purposes; personal data processing activities in a purpose-related, limited and measured manner.

The Data Controller retains personal data for the period stipulated by law or required by the purpose of personal data processing.

Pursuant to Article 20 of the Constitution and Article 5 of the KVKK, the Data Controller processes personal data based on one or more of the conditions in Article 5 of the KVKK regarding the processing of personal data.

In accordance with Article 20 of the Constitution and Article 10 of the KVKK, the Data Controller informs the personal data subjects and provides the necessary information in case the personal data subjects request information.

In accordance with Article 6 of the KVKK, the Data Controller acts in accordance with the regulations stipulated for the processing of special categories of personal data.

In accordance with Articles 8 and 9 of the KVKK, the Data Controller acts in accordance with the regulations stipulated in the law and set forth by the PDP Board regarding the transfer of personal data.

3.1. Processing of Personal Data in Compliance with the Principles Stipulated in the Legislation

3.1.1. Processing in accordance with the Law and Good Faith

The Data Controller acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, the Data Controller takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than its purpose.

3.1.2. Ensuring that Personal Data is Accurate and Up to Date When Necessary

Data Controller; It ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. It takes necessary measures in this direction.

3.1.3. Processing for Specific, Explicit and Legitimate Purposes

The Data Controller clearly and precisely determines the legitimate and lawful purpose of personal data processing. The Data Controller processes personal data in connection with and to the extent necessary for the services it provides. The purpose for which personal data will be processed by the Data Controller is determined before the personal data processing activity begins.

3.1.4. Being Relevant, Limited and Proportionate to the Purpose for Which They are Processed

The Data Controller processes personal data in a manner that is conducive to the realization of the specified purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed.

3.1.5. Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

The Data Controller retains personal data only for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this context, the Data Controller first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period of time is determined, it acts in accordance with this period, and if a period of time is not determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, disposed of or anonymized by the Data Controller at the end of the period or in the event that the reasons requiring their processing disappear. Personal data are not stored by the Data Controller with the possibility of future use.

3.2. Processing of Personal Data Based on and Limited to One or More of the Personal Data Processing Conditions Stated in Article 5 of the KVKK

Protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted without prejudice to their essence only for the reasons specified in the relevant articles of the Constitution and only by law. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the person. In this direction and in accordance with the Constitution; the Data Controller processes personal data only in cases stipulated by law or with the explicit consent of the person.

3.3. Informing the Personal Data Owner

In accordance with Article 10 of the Data Controller and KVKK, we inform personal data owners during the acquisition of personal data. In this context, we inform about the identity of the Data Controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the rights of the personal data owner.

Article 20 of the Constitution stipulates that everyone has the right to be informed about personal data concerning him/her. In this direction, "requesting information" is also listed among the rights of the personal data owner in Article 11 of the KVKK. In this context, the Data Controller provides the necessary information in case the personal data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the KVKK.

While fulfilling the disclosure obligation, the Data Controller acts in accordance with the Law No. 6698, the Communiqué on the Procedures and Principles to be followed in the Fulfillment of the Disclosure Obligation, the Board decisions published on the website of the Authority and the Guide to the Fulfillment of the Disclosure Obligation prepared by the Authority.

3.4. Processing of Special Categories of Personal Data

In the processing of personal data determined as "special quality" by the KVKK, the Data Controller acts in strict compliance with the regulations stipulated in the KVKK.

In Article 6 of the KVKK, some personal data that have the risk of causing victimization or discrimination when processed unlawfully are determined as "special categories". These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

In accordance with the KVKK, special categories of personal data are processed by the Data Controller in the following cases, provided that adequate measures to be determined by the PDP Board are taken:

  • If the personal data subject has explicit consent

or

  • If the personal data subject does not have explicit consent;

Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,

Sensitive personal data relating to the health and sexual life of the personal data owner are processed only by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

A separate policy for the processing of special categories of personal data is established by the Data Controller.

3.5. Transfer of Personal Data

The Data Controller may transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the lawful personal data processing purposes. In this direction, the Data Controller acts in accordance with the regulations stipulated in Article 8 of the KVKK.

3.5.1. Conditions for Transfer of Personal Data

In line with legitimate and lawful personal data processing purposes, the Data Controller may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law listed below:

  • If there is explicit consent of the personal data owner.
  • If there is a clear regulation in the laws regarding the transfer of personal data.
  • If it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid.
  • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
  • If personal data transfer is mandatory for the Data Controller to fulfill its legal obligation.
  • If the personal data has been made public by the personal data subject.
  • If personal data transfer is mandatory for the establishment, exercise or protection of a right.
  • If personal data transfer is mandatory for the legitimate interests of the Data Controller, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

3.5.2. Transfer of Sensitive Personal Data

The Data Controller may transfer the personal data of the personal data owner to third parties in the following cases in line with the legitimate and lawful personal data processing purposes by taking the necessary care, taking the necessary security measures and adequate measures stipulated by the PDP Board.

  • If the personal data subject has explicit consent

or

  • If the personal data subject does not have explicit consent

Sensitive personal data (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and apparel, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data) other than the health and sexual life of the personal data owner, in cases stipulated by law,

Sensitive personal data relating to the health and sexual life of the personal data owner are transferred only to persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

3.6. Transfer of Personal Data Abroad

The Data Controller may transfer the personal data and sensitive personal data of the personal data owner to third parties abroad by taking the necessary security measures in line with the lawful personal data processing purposes. As a result of the widespread use of company applications that provide information services today, communication through instant messaging or online communication channels is established through platforms and applications of foreign origin. Therefore, it is possible to transfer data abroad through these platforms.

Personal data are transferred by the Data Controller to foreign countries declared to have adequate protection by the PDP Board or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the PDP Board has permission ("Foreign Country Where the Data Controller Undertakes Adequate Protection"). In this direction, the Data Controller acts in accordance with the regulations stipulated in Article 9 of the KVKK.

3.6.1. Conditions for Transferring Personal Data Abroad

In line with the legitimate and lawful personal data processing purposes, the Data Controller may transfer personal data to Foreign Countries with Adequate Protection or to Foreign Countries where there is a Data Controller Committed to Adequate Protection in the presence of one of the following cases if the personal data owner has explicit consent or if the personal data owner does not have explicit consent:

  • If there is a clear regulation in the laws regarding the transfer of personal data,
  • If it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid;
  • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
  • If personal data transfer is mandatory for the Data Controller to fulfill its legal obligation

3.6.2. Transfer of Sensitive Personal Data Abroad

  • If the personal data subject has explicit consent

or

  • If the personal data subject does not have explicit consent;

Sensitive personal data other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data), in cases stipulated by law,

Sensitive personal data relating to the health and sexual life of the personal data owner can only be transferred within the scope of processing by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

4. CATEGORIZATION, PROCESSING PURPOSES AND STORAGE PERIODS OF PERSONAL DATA PROCESSED BY THE DATA CONTROLLER

In accordance with Article 10 of the KVKK, the Data Controller informs the personal data owner of which personal data owner groups' personal data are processed, the purposes of processing the personal data of the personal data owner and the retention periods within the scope of the disclosure obligation.

4.1. Categorization of Personal Data

The following categories of personal data are processed by the Data Controller by informing the relevant persons in accordance with Article 10 of the KVKK, in line with the legitimate and lawful personal data processing purposes of the Data Controller, based on one or more of the personal data processing conditions specified in Article 5 of the KVKK and limited to the subjects within the scope of this Policy by complying with the general principles specified in the KVKK, especially the principles specified in Article 4 regarding the processing of personal data, and all obligations regulated in the KVKK.

Category of Personal Data Description
Identity Data Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; containing information about the identity of the person; (documents such as driver's license, identity card and passport containing information such as name-surname, Turkish ID number, nationality information, mother's name-father's name, place of birth, date of birth, gender, and information such as tax number, Social Security number, signature information, vehicle license plate, etc.)
Contact Data Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; (information such as telephone number, address, e-mail address, fax number, IP address)
Financial Data Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; (Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Data Controller with the personal data owner and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information)
Professional Experience Data Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; data containing information about the identity of the person; (Data processed according to the type of legal relationship established by the Data Controller with the Personal Data Owner; data such as diploma information, courses attended, vocational training information, certificates, candidate application forms, reference interview information, job interview information, transcript information).
Criminal Conviction and Security Measures Data Data belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, (data such as the criminal record of the Personal Data Owner obtained within the framework of the operations carried out by the business units of the Data Controller or in order to carry out the business processes of natural persons in a working relationship with the Data Controller or to protect the legal and other interests of the Data Controller and the Personal Data Owner)
Location Data Information that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system (information that determines the location of the personal data owner within the framework of the operations carried out by the business units, during the use of products and services or while using the vehicles of the operational transactionss, GPS location, travel data, etc.).
Audio/Visual Data Data that clearly belongs to an identified or identifiable natural person (photographs and camera recordings (except for recordings within the scope of Physical Space Security Information), voice recordings and data contained in documents that are copies of documents containing personal data)
Personnel Information All kinds of personal data that clearly belong to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed to obtain information that will be the basis for the formation of the operational transactions's rights of natural persons who are in a working relationship with the Data Controller
Health Data Personal data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system (health data such as health report, disability tax exemption certificates, insurance certificates, military service status certificates of the Personal Data Owner and / or family members obtained within the framework of the operations carried out by the business units of the Data Controller, in relation to the products and services offered or in order to carry out the business processes of natural persons in a working relationship with the Data Controller or to protect the legal and other interests of the Data Controller and the Personal Data Owner)
Legal Process Data Data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed within the scope of the Data Controller's legal processes, determination of receivables and rights, follow-up and fulfillment of debts and legal obligations, information in correspondence with judicial authorities, incoming and outgoing documents, information such as case files.
Venue Security Data Personal data relating to records and documents taken at the entrance to the physical space, during the stay in the physical space, camera recordings, records taken at the security point, etc., which are clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system.
Risk Management Data Data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed for the management of all kinds of commercial, technical, administrative risks created according to the type of legal relationship established by the Data Controller with the Personal Data Owner.
Customer Transaction Data Information such as call center records, invoice, promissory note check information, order information, request information, request information, offer, service number obtained and produced about the relevant person as a result of the commercial activities of the Data Controller and the operations carried out by the business units, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system.
Marketing Data Data obtained through shopping history information, surveys, cookie records, campaigns, which are clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, obtained and produced about the relevant person as a result of the commercial activities of the Data Controller and the operations carried out by the business units.
Process Security Information Personal data such as IP Address information, Website login and exit information, password and password information, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Data Controller while carrying out the activities of the Data Controller.
Vehicle Information Data such as Vehicle License Plate, Vehicle License Plate, Embezzled Vehicle Information, Vehicle License Plate, Vehicle License Plate, Vehicle License Plate, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system.
Family Member and Relative Data Information on family members who clearly belong to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system

4.2. Purposes of Processing Personal Data

The Data Controller processes personal data limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the KVKK. These purposes and conditions are listed below:

  • It is clearly stipulated in the Laws that the Data Controller is engaged in the relevant activity regarding the processing of your personal data
  • The processing of your personal data by the Data Controller is directly related and necessary for the establishment or performance of a contract
  • Processing of your personal data is mandatory for the Data Controller to fulfill its legal obligation
  • Provided that your personal data has been made public by you; processing by the Data Controller in a limited manner for the purpose of publicization by you
  • Processing of your personal data by the Data Controller is mandatory for the establishment, use or protection of the rights of the Data Controller or you or third parties
  • It is mandatory to carry out personal data processing activities for the legitimate interests of the Data Controller, provided that it does not harm your fundamental rights and freedoms
  • Processing of personal data by the Data Controller is mandatory for the protection of the life or physical integrity of the personal data owner or someone else, and in this case, the personal data owner is unable to disclose his consent due to actual or legal invalidity
  • It is stipulated in the laws for personal data of special nature other than the health and sexual life of the personal data owner
  • In terms of personal data of special nature related to the health and sexual life of the personal data owner, it is processed by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

In this context, the Data Controller processes your personal data for the following purposes:

Purposes of Processing
Execution / Supervision of Business Activities
Execution of Goods / Services Production and Operation Processes
Execution of Management Activities
Ensuring the Security of Movable Property and Resources
Execution of Marketing Processes of Products / Services
Execution of Finance and Accounting Affairs
Execution of Logistics Activities
Execution of Activities in Compliance with the Legislation
Execution of Occupational Health / Safety Activities
Execution of Risk Management Processes
Ensuring the Security of Data Controller Operations
Execution of Business Continuity Ensuring Activities
Receiving and Evaluating Suggestions for Improvement of Business Processes
Execution of Goods / Service Procurement Processes
Execution of Supply Chain Management Processes
Execution of Goods / Service Sales Processes
Fulfillment of Obligations Arising from Employment Contract and Legislation for Operational transactionss
Monitoring and Execution of Legal Affairs
Execution of Contract Processes
Execution of Customer Relationship Management Processes
Execution of Activities for Customer Satisfaction
Providing Information to Authorized Persons, Institutions and Organizations
Organization and Event Management
Execution of Goods / Services After Sales Support Services
Execution of Communication Activities
Tracking Requests / Complaints
Execution of Information Security Processes
Planning Human Resources Processes
Execution of Operational transactions Satisfaction and Loyalty Processes
Execution of Fringe Benefits and Benefits Processes for Operational transactionss
Conducting Audit / Ethics Activities
Conducting Internal Audit / Investigation / Intelligence Activities
Execution of Emergency Management Processes
Execution of Access Authorizations
Ensuring Physical Space Security
Conducting Training Activities
Execution of Operational transactions Candidate Application Processes
Execution of Operational transactions Candidate / Intern / Student Selection and Placement Processes
Execution of Assignment Processes
Execution of Human Resources Processes
Execution of Personnel Attendance Control System
Execution of Performance Evaluation Processes
Execution of Termination Procedures
Execution of Wage Policy
Execution of Company / Product / Service Loyalty Processes
Conducting Marketing Analysis Studies
Execution of Strategic Planning Activities
Creating and Tracking Visitor Records
Execution of Social Responsibility and Civil Society Activities

If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the KVKK, your explicit consent is obtained by the Data Controller regarding the relevant processing process.

4.3. Retention of Personal Data

4.3.1. Retention Periods of Personal Data

If stipulated in the relevant laws and regulations, the Data Controller retains personal data for the period specified in these regulations. The retention periods determined by the Data Controller are stated below:

Categories of Personal Data Retention Period
Identity

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the end of the activity

10 Years from the End of the Purpose of Data Processing

5 years from the end of the processing purpose

Contact

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the end of the activity

10 Years from the End of the Purpose of Data Processing

Audio and Visual Recordings

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the end of the activity

10 Years from the End of the Purpose of Data Processing

Finance

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the end of the activity

10 Years from the End of the Purpose of Data Processing

Location

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the end of the activity

10 Years from the End of the Purpose of Data Processing

Customer Transaction

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the end of the activity

10 Years from the End of the Purpose of Data Processing

Professional Experience

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the end of the activity

10 Years from the End of the Purpose of Data Processing

Risk Management

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the end of the activity

10 Years from the End of the Purpose of Data Processing

Process Security

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the end of the activity

10 Years from the End of the Purpose of Data Processing

Legal Action

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

10 Years from the end of the activity

10 Years from the End of the Purpose of Data Processing

Personnel

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

Criminal Conviction and Security Measures 15 years from the termination of the employment contract
Health Information 15 years from the termination of the employment contract
Working Family Member and Relative Information

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

Physical Space Security 15 years from the termination of the employment contract 25 Days
Marketing 10 Years from the End of the Purpose of Data Processing
Vehicle Information

15 years from the termination of the employment contract

10 years from the termination of the legal relationship

If a period of time is not regulated in the legislation regarding how long personal data should be stored, Personal Data is processed for the period required to be processed in accordance with the practices and customs of the commercial life of the Data Controller, depending on the activity carried out by the Data Controller while processing that data, and then deleted, destroyed or anonymized. You can find detailed information on this subject in the Policy on Deletion, Destruction or Anonymization of Personal Data of the Data Controller.

If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Data Controller have come to an end; personal data can only be stored for the purpose of constituting evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the aforementioned right and the examples in the requests previously addressed to the Data Controller on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.

4.3.2. Responsibility and Distribution of Duties in the Storage of Personal Data

All units and operational transactionss of the Data Controller actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law by properly implementing the technical and administrative measures taken by the responsible units within the scope of the Policy, training and raising awareness of the unit operational transactionss, monitoring and continuous supervision.

4.3.3. Storage Environments

Personal data belonging to data subjects are securely stored by the Data Controller in the environments listed in the table below in accordance with the relevant legislation, especially the provisions of the KVKK:

Storage Environments
Computer
Locked Archive Cabinet
Business Server
Archive Cabinet
Unit Archive
Double Locker in Controlled Zone
Software - Domestic
Domestic Email Server
Access Restricted File
Abroad Email Server

5. CATEGORIZATION OF THE OWNERS OF THE PERSONAL DATA PROCESSED BY THE DATA CONTROLLER

The table below details the categories of personal data subjects mentioned above and the types of personal data processed by the persons within these categories.

Personal Data Owner Category and Description Categories of Processed Personal Data of the Data Subject

Operational transactions

(Real persons who have an employment contract with the Data Controller)

Identity

Contact

Audio and Visual Recordings

Location

Professional Experience

Finance

Risk Management

Process Security

Legal Action

Personnel Criminal Conviction and Security Measures

Health Information

Working Family Member and Relative Information

Physical Space Security

Marketing

Vehicle Information

Product or Service Purchaser

(Natural persons whose personal data are obtained through the business relations of the Data Controller within the scope of the operations carried out by the business units of the Data Controller, regardless of whether they have any contractual relationship with the Data Controller)

Identity

Contact

Customer Transaction

Legal Action

Finance Risk Management

Marketing

Physical Space Security

Professional Experience

Supplier Operational transactions

(Real persons authorized to represent the Data Controller who are bound to the Data Controller by a supply contract)

Identity

Contact

Finance

Location

Process Security Marketing

Physical Space Security

Personnel Professional Experience

Health Information

Vehicle Information

Shareholder/Partner

(Real persons who are shareholders of the Data Controller)

Identity

Contact

Finance

Risk Management

Legal Action

Professional Experience

Location

Process Security

Physical Space Security

Audio and Visual Recordings

Operational transactions Candidate

(Natural persons who have applied for a job to the Data Controller by any means or who have opened their CV and related information to the examination of the Data Controller)

Identity

Contact

Personnel Professional Experience

Audio and Visual Recordings

Health Information

Criminal Conviction and Security Measures

Physical Space Security

Parent / Guardian / Representative

(Person(s) authorized to act on behalf of the natural or legal person who has a legal relationship with the Data Controller)

Identity

Finance

Contact

Legal Action

Risk Management

Professional Experience

Visitor

(Real persons who have entered the physical premises owned by the Data Controller for various purposes or who visit our websites)

Identity

Health Information

Contact

Process Security

Physical Space Security

Marketing

Vehicle Information

Supplier Representative

(Natural persons who are bound to the Data Controller by a supply contract and have an employment contract with the Data Controller)

Identity

Contact

Finance

Legal Action

Risk Management

Customer Transaction

Physical Space Security

Professional Experience

Potential Product or Service Buyer

(Natural persons whose personal data are obtained through the business relations of the Data Controller within the scope of the operations carried out by the business units of the Data Controller as a basis for the future legal relationship with the Data Controller)

Identity

Contact

Customer Transaction

Location

Process Security

Marketing

Physical Space Security

Operational transactions Candidate

(Natural persons who have applied for a job to the Data Controller by any means or who have opened their CV and related information to the examination of the Data Controller)

Identity

Communication

Personel Professional Experience

Criminal Conviction and Security Measures

Legal Process

Visual/Audio Records

Health

Venue Security

Intern

(Real persons who are in an internship relationship with the Data Controller)

Identity

Contact

Personnel Professional Experience

Health Information

Finance

Public Official

(Other groups of people)

Identity

Communication

Occupational Health and Safety Specialist

(Other groups of people)

Identity

Communication

Professional Experience

Doctor

(Other groups of people)

Identity

Professional Experience

Workplace Doctor

(Other groups of people)

Identity

Professional Experience

Website Visitors

(Other groups of people)

Process Security

Marketing

Identity

Party to Lawsuit, Enforcement Case

(Other groups of people)

Identity

Communication

6. THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED BY THE DATA CONTROLLER AND THE PURPOSES OF TRANSFER

In accordance with Article 10 of the KVKK, the Data Controller informs the personal data owner about the groups of persons to whom personal data are transferred.

The Data Controller may transfer the personal data of the data owners managed by the Policy in accordance with Articles 8 and 9 of the KVKK to domestic and foreign recipient groups within the scope of the transfer reasons based on the data category listed below:

Category of Data Reason of Transfer Recipient
Domestic Abroad Domestic Abroad
Identity

Operational transactions

Legal Obligation

Information

Court Order

Administration Request

Monitoring the Legal Affairs and Transactions of the Data Controller

Contract

Transmission to Data Processors

Commercial Purpose

Operational Transactions

Information

Informing Subsidiaries

Contract Legal Obligation

Commercial Purpose

Suppliers

Authorized Public Institutions and Organizations

Natural Persons or Private Law Legal Entities

Shareholders

Associates and Subsidiaries

Suppliers

Natural Persons or Private Law Legal Entities

Business Partners

Associates and Subsidiaries

Authorized Public Institutions and Organizations

Contact

Legal Obligation

Operational transactions

Information

Court Order

Administration Request

Monitoring the Legal Affairs and Transactions of the Data Controller

Contract

Commercial Purpose

Operational Transactions

Information

Informing Subsidiaries

Contract

Legal Obligation

Commercial Purpose

Suppliers

Authorized Public Institutions and Organizations

Natural Persons or Private Law Legal Entities

Shareholders

Associates and Subsidiaries

Suppliers

Natural Persons or Private Law Legal Entities

Business Partners

Associates and Subsidiaries

Authorized Public Institutions and Organizations

Audio and Visual Recordings

Operational transactions

Legal Obligation

Court Order

Administration Request

Monitoring the Legal Affairs and Transactions of the Data Controller

Transmission to Data Processors

Information

 

Suppliers

Authorized Public Institutions and Organizations

Natural Persons or Private Law Legal Entities

 
Finance

Operational transactions

Legal Obligation

Information

Administration Request

Monitoring the Legal Affairs and Transactions of the Data Controller

Contract

Information

Operational transactions

Informing subsidiaries

Authorized Public

Institutions and Organizations Suppliers

Natural Persons or Private Law Legal Entities

Business Partners

Associates and Subsidiaries

Suppliers

Business Partners Associates and Subsidiaries

Private Law Legal Entities

Authorized Public Institutions and Organizations

Location

Operational transactions

Legal Obligation

 

Authorized Public Institutions and Organizations

Suppliers

 
Customer Transaction

Operational transactions

Legal Obligation

Information

Operational transactions

Information

Informing subsidiaries

Suppliers

Authorized Public Institutions and Organizations

Natural Persons or Private Law Legal Entities

Suppliers

Natural Persons or Private Law Legal Entities

Associates and Subsidiaries

Professional Experience

Legal Obligation

Operational transactions

Court Order

Administration Request

Monitoring the Legal Affairs and Transactions of the Data Controller

Information

Contract

Commercial Purpose

Information

Operational transactions

Contract

Commercial Purpose

Informing subsidiaries

Authorized Public Institutions and Organizations

Suppliers

Natural Persons or Private Law Legal Entities

Associates and Subsidiaries

Natural Persons or Private Law Legal Entities

Business Partners

Associates and Subsidiaries

Risk Management

Legal Obligation

Information

Operational transactions

Commercial Purpose

Operational Transactions

Information

Informing subsidiaries

Authorized Public Institutions and Organizations

Natural Persons or Private Law Legal Entities

Suppliers

Suppliers

Natural Persons or Private Law Legal Entities

Associates and Subsidiaries

Process Security

Legal Obligation

Information

Operational transactions

Operational Transactions

Authorized Public Institutions and Organizations

Supplier

 
Legal Action

Legal Obligation

Information

Operational transactions

Operational Transactions

Authorized Public Institutions and Organizations

Supplier

Suppliers
Personnel

Court Order

Legal Obligation

Administration Request

Monitoring the Legal Affairs and Transactions of the Data Controller

Operational transactions

Information

Contract

Commercial Purpose

Operational Transactions

Authorized Public Institutions and Organizations

Supplier

Suppliers
Criminal Conviction and Security Measures

Court Order

Legal Obligation

Administration Request

Operational transactions

Monitoring the Legal Affairs and Transactions of the Data Controller

Operational Transactions

Authorized Public Institutions and Organizations

Supplier

Suppliers
Health Information

Legal Obligation

Operational transactions

Administration Request

Monitoring the Legal Affairs and Transactions of the Data Controller

Court Order

 

Suppliers

Business Partners

Associates and Subsidiaries

Private Law Legal Entities

Authorized Public Institutions and Organizations

 

Operational transactions

Family Member and Relative Information

Legal Obligation

Operational transactions

Administration Request

Monitoring the Legal Affairs and Transactions of the Data Controller

 

Suppliers

Business Partners

Associates and Subsidiaries

Private Law Legal Entities

Authorized Public Institutions and Organizations

 
Physical Space Security

Legal Obligation

Operational transactions

  Authorized Public Institutions and Organizations  
Marketing Legal Obligation   Authorized Public Institutions and Organizations  
Vehicle Information

Legal Obligation

Information

Informing subsidiaries Authorized Public Institutions and Organizations Informing subsidiaries

The definition and scope of the recipient groups to which the above-mentioned transfers are made are set out in the table below.

Persons to whom data can be transferred Definition of Persons to Whom Data Can Be Transferred
Authorized Public Institutions and Organizations

Public institutions and organizations authorized to receive information and documents from the Data Controller in accordance with the provisions of the relevant legislation.

(All ministries, judicial, administrative institutions and organizations under the Presidency, especially the Ministry of Justice, the Constitutional Court, the Court of Cassation, the Council of State, the Regional Courts of Appeal, Local Courts and other courts of the Republic of Turkey, all departments and levels of the Turkish Grand National Assembly, other administrative and financial accident institutions, Governorships, District Governorships, Security Directorates, Consulates of the relevant country, Population and Citizenship Courts, all departments and degrees of the departments and institutions of the Turkish Grand National Assembly, other administrative and financial accident institutions, Governorships, District Governorships, Security Directorates, Consulates of the relevant country, Population and Citizenship Affairs Directorates, Tax Offices, all central and provincial organizations and units of the Ministry of Finance, Customs Directorates and Chief Directorates, SSI, General Directorate of Free Zones of the Undersecretariat of Foreign Trade, Free Zones, All Public Banks and all other authorized public institutions and organizations)

Suppliers Defines the parties that provide services to the Data Controller on a contractual basis in accordance with the orders and instructions of the Data Controller while carrying out the commercial activities of the Data Controller
Shareholders Real persons who are shareholders of the Data Controller
Associates and Subsidiaries Real or private legal entities in which the Data Controller is a subsidiary or shareholder
Business Partners Real or private legal entities with whom the Data Controller carries out its commercial activities
Real Persons or Private Law Legal Entities Private law persons or real persons authorized to receive information and documents from the Data Controller in accordance with the provisions of the relevant legislation

7. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW

The Data Controller informs the personal data owner about the personal data it processes in accordance with Article 10 of the KVKK.

7.1. Processing of Personal Data and Sensitive Personal Data

7.1.1. Processing of Personal Data

The explicit consent of the personal data owner is only one of the legal grounds that make it possible to process personal data in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity. In case the processed data is personal data of special nature; the conditions stated below under the heading 7.1.2. under this section are applied.

Although the legal grounds for the processing of personal data by the Data Controller may vary, all kinds of personal data processing activities are carried out in accordance with the general principles specified in Article 4 of the KVKK.

7.1.1.1.1. Explicit Consent of the Personal Data Owner

One of the conditions for processing personal data is the explicit consent of the owner. The explicit consent of the personal data owner must be related to a specific subject, based on information and free will.

For personal data processing activities other than the purpose of processing for the reasons for obtaining personal data, at least one of the conditions in 7.1.1.1.2 - 7.1.1.8 of this title is sought; If one of these conditions is not present, these personal data processing activities are carried out by the Data Controller based on the explicit consent of the personal data owner for these processing activities.

For the processing of personal data based on the explicit consent of the personal data owner, the explicit consent of the personal data owners is obtained through the relevant methods.

7.1.1.2. Explicitly Stipulated in Laws

The personal data of the data subject may be processed in accordance with the law if it is clearly stipulated in the law.

7.1.1.3. Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility

The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself/herself or another person.

7.1.1.4. Directly Related to the Establishment or Performance of the Contract

Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process personal data belonging to the parties to the contract.

7.1.1.5. Fulfillment of the Legal Obligation by the Data Controller

The personal data of the data subject may be processed if the processing is mandatory for the Data Controller to fulfill its legal obligations as a data controller.

7.1.1.6. Publicization of Personal Data by the Personal Data Owner

In the event that the data subject has made his/her personal data public by himself/herself, the relevant personal data may be processed.

7.1.1.7. Data Processing is Mandatory for the Establishment or Protection of a Right

Personal data of the personal data owner may be processed if data processing is mandatory for the establishment, exercise or protection of a right.

7.1.1.8. Data Processing is Mandatory for the Legitimate Interest of the Data Controller

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, data may be processed if it is mandatory for the legitimate interests of the Data Controller.

7.1.2. Processing of Special Categories of Personal Data

if the personal data owner does not have explicit consent, provided that adequate measures to be determined by the PDP Board are taken, special categories of personal data are processed by the Data Controller in the following cases:

  • Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,
  • Sensitive personal data relating to the health and sexual life of the personal data subject can only be collected by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

7.2. Building, Facility Entrances and Personal Data Processing Activities Conducted within the Building Facility

Personal data processing activities carried out by the Data Controller at the entrances of the building facility and within the facility are carried out in accordance with the Constitution, the KVKK and other relevant legislation.

In order to ensure security by the Data Controller, personal data processing activities are carried out for the monitoring of guest entrances and exits with security cameras in the buildings and facilities of the Data Controller.

Personal data processing activity is carried out by the Data Controller through the use of security cameras and recording of guest entrances and exits.

Cameras are divided into two as indoor and outdoor cameras. Indoor cameras are positioned at an angle that will not directly attract our operational transactionss or visitors, except for sinks, rooms, changing cabins and room interiors. The locations of the cameras have been carefully determined to ensure that the monitoring activity is kept to a minimum and limited to the purpose of monitoring.

7.2.1. Data Controller Camera Surveillance Activities Carried Out at Building, Facility Entrances and Inside

In this section, explanations will be made regarding the camera surveillance system of the Data Controller and information will be provided on how personal data, confidentiality and fundamental rights of the person are protected.

Within the scope of security camera surveillance activity, the Data Controller aims to protect the interests of the Data Controller and other persons to ensure the security of the Data Controller and other persons.

7.2.2. Execution of Monitoring Activities with Security Cameras in accordance with KVK Law

The Data Controller acts in accordance with the regulations in the KVKK in carrying out camera surveillance activities for security purposes. In order to ensure security in its buildings and facilities, the Data Controller carries out security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the KVKK.

7.2.3. Announcement of Camera Monitoring Activity

The personal data owner is informed by the Data Controller in accordance with Article 10 of the KVKK. The Data Controller notifies with more than one method regarding the camera surveillance activity of the clarification made regarding general issues. Thus, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data owner and to ensure transparency and enlightenment of the personal data owner.

For the camera surveillance activity by the Data Controller; this Policy is published on the Data Controller's website (online policy regulation) and a notification letter regarding the monitoring is posted at the entrances of the areas where the monitoring is carried out (on-site disclosure).

7.2.4. Purpose of and Limitation to the Purpose of Camera Surveillance

In accordance with Article 4 of the KVK Law, the Data Controller processes personal data in a limited and measured manner in connection with the purpose for which they are processed.

The purpose of video camera surveillance by the Data Controller is limited to the purposes listed in this Policy. In this direction, the monitoring areas, number and time of monitoring of security cameras are sufficient to achieve the security purpose and are limited to this purpose.

Areas that may result in interference with the privacy of the person in a way that exceeds the security purposes (for example, toilets) are not subject to monitoring.

7.2.5. Ensuring the Security of the Data Obtained

Necessary technical and administrative measures are taken by the Data Controller to ensure the security of personal data obtained as a result of camera surveillance activity in accordance with Article 12 of the KVKK.

7.2.6. Retention Period of Personal Data Obtained through Camera Surveillance Activity

Detailed information on the Data Controller's retention period for personal data obtained through camera surveillance is provided in Article 4.3 of this Policy titled Retention Periods of Personal Data.

If it is understood that the video recordings obtained from the security camera constitute evidence in a criminal investigation before the deletion period, if it constitutes evidence in a criminal investigation, it is kept until it is submitted to the judicial authority.

Video recordings obtained from security cameras are kept for 10 years if it is understood that they constitute evidence in a legal dispute before the deletion period.

7.2.7. Who has Access to the Information Obtained as a Result of Monitoring and to Whom This Information is Transferred

Only a limited number of Data Controller operational transactionss have access to the records recorded and stored in digital media with live camera images. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.

8. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Although the Data Controller has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVKK, personal data shall be deleted, destroyed or anonymized upon the Data Controller's own decision or upon the request of the personal data owner, if the reasons requiring its processing disappear. In this context:

  • Expiration or nullity of the contract on the basis of processing,
  • Withdrawal of consent in processing activities based on explicit consent,
  • Data Subject's application for deletion-destruction-anonymization and acceptance of this application,
  • The decision that the request to be made by the Personal Data Protection Board should be met as a result of the Data Owner's application and the rejection of this application,
  • Expiration of the retention period,
  • Periodic destruction operations carried out within the Data Controller,

As a result, the Data Controller deletes, destroys or anonymizes the Personal Data collected.

In terms of Deletion, Destruction or Anonymization of Personal Data, the Data Controller creates a separate policy in detail within the scope of the Regulation on Deletion, Destruction or Anonymization of Personal Data.

9. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY FOR THE EXERCISE AND EVALUATION OF THESE RIGHTS

9.1. Rights of the Data Subject and Exercising These Rights

9.1.1. Rights of the Personal Data Subject

Personal data subjects have the following rights:

  • Learn whether personal data is being processed
  • Request information if their personal data has been processed,
  • To learn the purpose of processing personal data and whether they are used for their intended purpose,
  • To know the third parties to whom personal data are transferred domestically or abroad,
  • To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • Although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
  • To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
  • In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

9.1.2. Cases Where the Personal Data Owner Cannot Assert His/Her Rights

Pursuant to Article 28 of the KVK Law, personal data owners cannot assert the rights of personal data owners listed in 9.1.1. in these matters, since the following cases are excluded from the scope of the KVK Law:

  • Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
  • Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures.

Pursuant to Article 28/2 of the KVKK; In the cases listed below, personal data owners cannot assert their other rights listed in 9.1.1. except for the right to demand compensation for the damage:

  • Processing of personal data is necessary for the prevention of crime or criminal investigation.
  • Processing of personal data made public by the personal data owner himself/herself.
  • Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
  • Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.

9.1.3. Exercising the Rights of the Personal Data Owner

Personal Data Owners may submit their requests regarding their rights listed under Title 9.1.1. of this section to the Data Controller free of charge by filling out and signing the Application Form with the information and documents that will identify their identity and by the methods specified below or by other methods determined by the Personal Data Protection Board:

  • Complaint form is available at www.ames-europe.com or at the address of Zafer SB Mahallesi Mümtaz Sokak No:29/0 Gaziemir/İZMİR. After filling out the form, which you can obtain from the address of the Data Controller, you can send a wet signed copy to the same address of the Data Controller personally or through a notary public.

In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.

9.1.4. Personal Data Owner's Right to File a Complaint to the PDP Board

Pursuant to Article 14 of the KVK Law, the personal data owner may file a complaint to the KVK Board within thirty days from the date of learning the response of the Data Controller and in any case within sixty days from the date of application in case the application is rejected, the response is found insufficient or the application is not responded in due time.

9.2. Response of the Data Controller to the Applications

9.2.1. Procedure and Duration of the Data Controller's Response to Applications

In the event that the personal data owner submits his/her request to the Data Controller in accordance with the procedure in section 9.1.3. of this section, the Data Controller will finalize the relevant request free of charge within thirty days at the latest, depending on the nature of the request. However, if a fee is stipulated by the PDP Board, the fee in the tariff determined by the PDP Board will be charged by the Data Controller from the applicant.

9.2.2. Information that the Data Controller may request from the Applicant Personal Data Subject

The Data Controller may request information from the relevant person in order to determine whether the applicant is the personal data owner. In order to clarify the issues in the application of the personal data owner, the Data Controller may ask questions to the personal data owner about the application.

9.2.3 Data Controller's Right to Reject the Personal Data Subject's Application

The Data Controller may reject the application of the applicant in the following cases by explaining the reason:

  • Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
  • Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution procedures.
  • Processing of personal data is necessary for the prevention of crime or criminal investigation.
  • Processing of personal data made public by the personal data owner himself/herself.
  • Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law.
  • Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.
  • The request of the personal data owner is likely to prevent the rights and freedoms of other persons
  • Requests have been made that require disproportionate effort.
  • The requested information is publicly available.

10. THE RELATIONSHIP OF THE DATA CONTROLLER'S POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA WITH OTHER POLICIES

The Data Controller may also establish sub-policies for internal use regarding the protection and processing of personal data related to the principles set forth in this Policy, as well as other policies for certain groups of persons, especially operational transactionss.

The principles of the Data Controller's sub-policies for internal use are reflected in publicly available policies to the extent relevant, and it is aimed to inform those concerned within this framework and to ensure transparency and accountability regarding the personal data processing activities carried out by the Data Controller.

Ames Europe Tekstil Sanayi ve Ticaret Anonim Şirketi

ames@hs03.kep.tr

Zafer SB Mahallesi Mümtaz Sokak No:29/0 Gaziemir/İZMİR

0 232 258 01 52

info@ames-europe.com

www.ames-europe.com