PERSONAL DATA PROCESSING, STORAGE AND DESTRUCTION POLICY OF “YELKANAT” FURNITURE, IMPORT, EXPORT MANUFACTURING, INDUSTRY AND TRADE JOINT STOCK COMPANY IN ACCORDANCE WITH THE PERSONAL DATA PROTECTION LAW NO. 6698 ("KVKK")
2
1. INTRODUCTION
The Personal Data Retention, Processing, and Destruction Policy has been prepared to establish the principles and procedures related to the retention, processing, and destruction activities carried out by Yelkanat Mobilya Import Export Manufacturing Industry and Trade Joint Stock Company (“Company”). In line with the mission, vision, and fundamental principles set forth in the Strategic Plan, the Company gives great importance to the processing and protection of all kinds of personal data belonging to employees, customers, service providers, occupational physicians, safety experts, visitors, business partners, and other third parties, in accordance with the Personal Data Protection Law No. 6698 (“KVKK”). To this end, the Company takes all necessary administrative and technical measures in accordance with the legal regulations and decisions taken. This Personal Data Protection, Processing, Retention, and Destruction Policy and its appendices have been prepared by Yelkanat Mobilya Import Export Manufacturing Industry and Trade Joint Stock Company in the capacity of Data Controller.
2. PURPOSE
This policy has been prepared by our company to ensure compliance with the Personal Data Protection Law and in line with the following fundamental principles. The personal data of the individuals mentioned above shall be processed in accordance with the decisions and principles issued by the Personal Data Protection Authority, the Turkish Constitution, International Agreements, the Personal Data Protection Law No. 6698, the Regulation on Personal Health Data, and relevant legislation, while ensuring that individuals can effectively exercise their rights. The storage and destruction of personal data are carried out in accordance with this policy. The personal data processed by our company may vary depending on the services provided and the purpose of processing, and it is collected through both automated and non-automated means.
3. SCOPE
The personal data of company employees, customers receiving services, service providers, service provider employees, workplace physicians, occupational safety experts, visitors, and other third parties, as well as the employees of public institutions and organizations and private legal entities with which we are in contact, and relevant third parties, is within scope of this policy. This policy applies to all personal data processed by the company, whether fully or partially automated or through non-automated means, provided that it is part of any data recording system.
4. OBJECTIVE
The objective of the Personal Data Processing, Retention, and Destruction Policy is to establish the necessary systems and ensure compliance with regulations to raise awareness regarding the lawful processing and protection of personal data in Yelkanat Mobilya Import Export
Manufacturing Industry and Trade Joint Stock Company. In this context, the KVK (Personal Data Protection) Policy of Yelkanat Mobilya Import Export Manufacturing Industry and Trade Joint Stock Company aims to provide guidance for the implementation of regulations introduced by the Personal Data Protection Law and relevant legislation.
5. ABBREVIATIONS AND DEFINITIONS
Company: Yelkanat Mobilya Import Export Manufacturing Industry and Trade Joint Stock Company
Explicit Consent: Consent based on being informed about a specific subject and given freely.
Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
Anonymization: The process of rendering personal data incapable of being associated with an identified or identifiable individual, even when combined with other data.
Employee: Refers to the employees of our company.
Electronic Environment: Environments where personal data can be created, read, modified, and written using electronic devices.
Non-Electronic Environment: All written, printed, visual, and other environments outside of electronic environments.
Relevant User: Persons who process personal data within the organization of the data controller or as per their authority and instruction from the data controller, excluding those responsible for the technical storage, protection, and backup of data.
Data Subject/Personal Data Owner: Refers to the natural person whose personal data is being processed.
Destruction: The deletion, destruction, or anonymization of personal data.
Recording Medium: Any environment where personal data is processed, either fully or partially automatically, or non-automatically, provided it is part of a data recording system.
Personal Data: Any information related to an identified or identifiable natural person.
Personal Health Data: Any information related to the physical and mental health of an identified or identifiable natural person, as well as information related to health services provided to the individual.
Processing of Personal Data: Any operation performed on personal data, whether fully or partially automated or non-automated, provided it is part of a data recording system, including but not limited to collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, retrieval, classification, or prevention of use.
Anonymization of Personal Data: The process of rendering personal data incapable of being associated with an identified or identifiable individual, even when combined with other data.
Deletion of Personal Data: The process of making personal data inaccessible and unusable for Relevant Users in any way.
Destruction of Personal Data: The process of rendering personal data inaccessible, irretrievable, and unusable by anyone in any way.
Data Contact Person: The natural person notified during registration to the registry to maintain communication with the Authority, regarding the obligations under the Law and secondary regulations to be issued based on this Law, for natural and legal persons residing in Turkey, and for the data controller's representative for those not residing in Turkey.
Law: Personal Data Protection Law No. 6698
Board: Personal Data Protection Board
Authority: Personal Data Protection Authority
Special Categories of Personal Data: Personal data regarding race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
Periodic Destruction: The process of deletion, destruction, or anonymization to be carried out automatically at repeating intervals, as specified in the personal data storage and destruction policy, when all conditions for processing personal data under the Law have been eliminated.
Policy: General Policy on Personal Data Processing, Retention, and Destruction.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.
Data Recording System: The system where personal data is processed by being structured according to specific criteria.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data, and is responsible for establishing and managing the data recording system.
Data Controllers' Registry Information System (VERBİS): The IT system created and managed by the Authority, accessible online, to be used by data controllers for registration and related processes in the Registry.
Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data, published in the Official Gazette on October 28, 2017.
6. RESPONSIBILITIES AND TASK DISTRIBUTION
In accordance with the Personal Data Protection Law No. 6698 and related regulations, a Personal Data Protection Committee has been established within the company to ensure, maintain, and sustain compliance with personal data protection regulations. The roles and responsibilities have been defined, necessary decisions have been made, and communicated to the relevant parties. The Personal Data Protection Committee and responsible units are tasked with implementing the necessary technical and administrative measures under this policy, providing training and raising awareness among relevant employees, and ensuring the prevention of unlawful processing and access to personal data, as well as ensuring the lawful storage of personal data in all environments where personal data is processed.
All departments and employees of the company actively support the responsible units in ensuring the proper implementation of technical and administrative measures within the scope of this policy, training and raising awareness among employees, monitoring and continuous auditing, preventing the unlawful processing and access to personal data, and ensuring data security in all environments where personal data is processed in compliance with the law.
7. ENVIRONMENTS WHERE PERSONAL DATA IS STORED
The personal data held by our company is stored in various environments such as personal computers, mobile devices like phones and tablets, servers, hardware, software programs, optical disks, removable storage devices, cookies used on the website, and personal data stored in physical form such as service information forms, personnel files, job application forms, contracts made between the company and third parties, manual data recording systems, written, printed, and visual media, unit cabinets, and archive rooms. These are non-electronic physical environments.
Personal data is securely stored in accordance with the Personal Data Protection Law No. 6698 and international data security principles. Your personal data is processed by our company through any kind of operation, including obtaining, recording, storing, altering, and reorganizing, whether automatically or non-automatically, provided it is part of a data recording system.
8. PROCESSING OF PERSONAL DATA AND GENERAL PRINCIPLES
8.1. Privacy Policy
As explained in this policy, the personal data of all individuals associated with our company is confidential. Within the scope of this policy and the measures taken, no one can use, reproduce, copy, transfer, or use personal data for any purpose other than those specified in the policies, except in cases stipulated by law. Personal data is processed in accordance with the Privacy principle as regulated by the Social Insurance and General Health Insurance Law, the Turkish Commercial Code, the Labor Law, the Occupational Health and Safety Law, the Personal Data Protection Law, and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, and other relevant legislation.
8.2. Basic Principles
The personal data processed by our company is handled in accordance with the principles outlined in Article 4 of the Personal Data Protection Law No. 6698. The company processes, protects, deletes, and destroys personal data in compliance with the procedures and principles set forth by law, based on the following principles:
▪ Lawfulness and fairness.( The principle of compliance with the law and good faith)
Our company takes into account the interests of the relevant person when processing data within the scope of processing activity that has a legal basis. Based on this, the minimum amount of data is collected by our company based on the purpose of the legal rule. The minimum amount of data is collected by our company by determining which personal data is required and to what extent according to the concrete case. Our company takes into account the requirements of proportionality in the processing of personal data and does not use personal data for purposes other than those intended.
▪ The principle of personal data being accurate and up-to-date.
Our company takes the necessary measures to ensure that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of personal data owners. When our company determines that personal data has been processed incorrectly, the necessary measures are taken and corrected. However, if there are legitimate and reasonable grounds for our company to keep the data for any legitimate purpose, such as archiving, etc., the data may continue to be kept by stating that it is incorrect.
▪ Principle of processing personal data for specific, explicit, and legitimate purposes.
Our company clearly and definitively determines the legitimate and lawful purposes for processing personal data. The data is processed only to the extent necessary and relevant to the services provided. The purposes for processing personal data are communicated to the data subjects before the processing begins.
▪ The principle that Personal Data must be relevant, limited, and proportionate to the purposes for which they are processed.
Our company processes personal data in a manner that is suitable to achieve the specified purposes and avoids processing personal data that is unrelated or unnecessary for the intended purpose. For example, personal data is not processed to meet potential future needs. If a new purpose for processing arises that is not compatible with the original one, the necessary conditions for collecting the data are reassessed and ensured before further processing.
▪ The principle of keeping personal data for the period stipulated in the legislation or necessary for the purpose for which they are processed.
Our company retains personal data only for as long as is required by the relevant legislation or the purposes for which the data is being processed. To this end, the company first determines whether there is a statutory retention period for the data and adheres to it. If no such period is specified, personal data is retained for as long as necessary to fulfill the processing purpose. Once the retention period expires or the reason for processing ceases to exist, the personal data is deleted, destroyed, or anonymized by our company.
9. TERMS (CONDITIONS) OF PROCESSING OF PERSONAL DATA
The personal data processed by our company is handled in accordance with Articles 5 and 6 of the Personal Data Protection Law No. 6698. As a rule, personal data cannot be processed without the explicit consent of the data subject. However, personal data may be processed without the explicit consent of the data subject in the presence of one of the following terms:
▪ Explicitly stipulated by law: The principle of legality.
▪ Necessity to protect the life or physical integrity of a person who is unable to express their consent or whose consent is not legally valid due to actual impossibility.
▪ Necessary for the performance or establishment of a contract, provided that the processing is directly related to the contract to which the data subject is a party.
▪ Required for the fulfillment of the data controller’s legal obligations.
▪ Made public by the data subject: Public disclosure.
▪ Necessary for the establishment, exercise, or protection of a right.
▪ Required for the legitimate interests of the data controller, provided that the processing does not harm the fundamental rights and freedoms of the data subject.
10. CONDITIONS (TERMS) FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA
The special categories of personal data processed by our company are handled in accordance with Article 6 of the Personal Data Protection Law No. 6698. Special categories of personal data include information related to an individual's race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, association, foundation or union
membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data. The processing of special categories of personal data without the explicit consent of the data subject is prohibited by law. Accordingly, special categories of personal data cannot be processed without the explicit consent of the data subject. However, as stipulated in the law, personal data other than those related to health and sexual life may be processed without the explicit consent of the data subject in cases specified by law. Personal data related to health and sexual life may only be processed without explicit consent for the following purposes:
▪ Protecting public health, ▪ Preventive medicine, ▪ Medical diagnosis, treatment, and care services, ▪ Planning and management of health services and their financing, ▪ By persons or authorized institutions and organizations bound by confidentiality obligations.
Our company processes special categories of personal data in compliance with the Personal Data Protection Law No. 6698 and relevant legal regulations, and takes adequate measures as determined by the Personal Data Protection Board.
11. COLLECTION OF PERSONAL DATA AND LEGAL GROUNDS:
Your personal data is processed and collected in accordance with the purposes of personal data processing mentioned above, and the services we provide. This may be through channels such as email, the organization of printed forms, fulfillment of obligations arising from contracts, the creation of personnel files, the preparation and execution of contracts, and the processing of accounting, financial, legal, and other related information. Personal data is processed either fully or partially by automated means, or non-automated means, provided that it is part of a data recording system. Your personal data, including special categories of personal data, is processed based on the explicit consent of the individual, in accordance with the legal regulations our company is subject to. In addition, your personal data is processed without explicit consent in the presence of the following legal grounds. Accordingly, your personal data is processed, collected, and transferred based on the following legal grounds:
▪ When it is explicitly stipulated by law,
▪ When it is necessary to protect the life or physical integrity of a person who is unable to express consent or whose consent is not legally valid due to actual impossibility,
▪ When it is necessary for the establishment or performance of a contract between our company and natural or legal persons,
▪ When the personal data is made public by the individual,
▪ When processing is necessary for the establishment, exercise, or protection of a legal right,
▪ When it is necessary for the legitimate interests of the data controller, provided that such processing does not harm the fundamental rights and freedoms of the data subject. Your personal data is processed, collected, and transferred in accordance with Articles 5 and 6 of the Personal Data Protection Law and is retained for as long as required by the relevant legislation within the scope of company activities.
11.1. Processing of Personal Data
▪Identity Information (Name-surname, date of birth, country of birth, city of birth, gender, marital status, Turkish ID card details, Social Security Institution (SGK) registration number, father’s name, mother’s name, registered province of birth, tax identification number, and other identity data used to identify you)
▪Contact Information (Phone numbers, contact address, email address, home address, work address, address during leave, and other communication data obtained when you contact us)
▪Personnel Information (Personal information on contracts filled out by employees, educational background, diploma details, certificate information, Social Security registration number, general health insurance information, private health insurance details, SGK entry and exit notifications, dependent information, spouse and child relationship details, family registration details, documents related to responsibilities based on job role, work certificates, resignation and termination details, severance and notice pay slips, payroll information, disciplinary investigation records, service records, CV details, leave information, performance evaluation reports, accident and occupational injury records, bank account details, IBAN information, personal health and safety data, military service information, personal card details for entry-exit procedures, and information on job applications)
▪ Financial Information (Billing and payment details, bank account number, IBAN number, credit card information, financial data related to notifications made to SGK and relevant institutions, payroll, expense advance information, tax identification number, tax office details, invoices, delivery notes, personal information on delivery receipts, and information in contract appendices with third parties)
▪ Legal Transaction Information (Personal data involved in legal relations and services provided, legal disputes, court cases, prosecutor cases, mediators, arbitration boards, legal authorities, personal data in records, forms and reports kept for legal disputes and similar matters)
▪ Professional Experience Information (Education status, school, diploma details, work life, internships, seminars, in-service training, certifications, other information provided in forms, title, and job role details)
▪ Visual and Audio Records (Photos on documents such as medical reports, job application forms, printed or electronic forms, official identity documents, and video or camera recordings within the scope of company activities)
▪ Physical Security Information (Camera footage, security logs, forms, and vehicle plate details)
10
▪ Professional Experience, Information, and Photos for Promotional, Advertising, and Informational Purposes (Employee CVs and photos as part of company activities)
▪ Request and Complaint Information (Information and records collected from electronic and physical environments, as well as information from requests and complaints received via internet and online systems and the related evaluation and management processes)
▪ Product Delivery Information (Delivery details of ordered products)
▪ Customer Transaction Information (Membership details)
▪ Criminal Conviction and Security Measure Information (Criminal records, conviction details, and legal status information)
▪ Health Information (Disability reports, rest reports, medical examinations, patient diagnoses, doctor analyses and opinions, health reports, health information provided on job application forms, medical reports for employees, personal health and physical disability details, health board reports, and all other personal health data)
Your personal data is processed and protected by our company, acting as the data controller, in accordance with Article 20 of the Constitution, Article 4 of the Personal Data Protection Law, and the provisions of the Regulation on Personal Health Data, based on the legal reasons and purposes stated above.
Regarding Personal Data of Customers or Customer Employees Receiving Services
For the purposes of conducting company operations and carrying out legal notifications related to the services provided by the company, as well as managing internal company processes, the following personal data of customers or customer employees may be processed:
Personal data such as name, surname, Turkish ID number, signature, and other personal information used to identify the individual and verify their identity.
Personal data required for fulfilling legal obligations to notify relevant institutions and authorities concerning customers or customer employees.
Contact details such as phone numbers, addresses, email addresses, tax office, and tax identification numbers to facilitate communication and manage related business processes.
Vehicle information, license plate numbers, and vehicle insurance details for the delivery and inspection of products/goods and the execution of business operations.
Bank details and other financial information for billing processes, as well as contact and address information for delivery purposes, in compliance with both internal business processes and contractual obligations, and legal requirements for notifications to be made to insurance companies, shipping firms, banks, the Social Security Institution, the Ministry of Customs and Trade, and affiliated institutions.
Physical or electronic written documents, used for follow-up and managing necessary processes in case of any complaints, notifications, or inquiries made by related persons.
All of the above personal data may be processed by the company.
Regarding Personal Data of Visitors
Video recordings of individuals visiting the company, captured through camera surveillance and recording activities conducted for the purpose of maintaining order and security within the company.
Video recordings and license plate data of vehicles entering the parking area, captured and recorded via cameras to ensure company security.
Regarding Personal Data of Employees
Personal data such as identity information, personnel information, bank account information, communication information, contact information, health information and other personal data can be processed within the scope of the relevant legislation, in line with the purpose and methods of making notifications to public institutions and organizations and all authorized public/private legal entities and providing the necessary documents during audits.
Personal data can be processed by recording recording images with a camera, In order to ensure order and security within the company.
Personal data can be processed by recording by using relevant programs within the scope of workflows within the company and also for performance evaluations, recording the hours of entry and exit from work.
Personal data can be processed by conducting health screenings in accordance with the legislation on occupational health and safety.
Personal data can be processed by performing legal notifications in case of a work accident and performing necessary examinations and follow-ups in order to protect public health.
Personal data can be processed by performing debts and obligations arising from the relevant legislation and employment contract.
12. PRINCIPLES REGARDING PERSONAL DATA STORAGE AND DESTRUCTION
With this policy created by our company, personal data of our employees, customers, customer employees, suppliers, service providers, managers and employees, business/solution partners, company partners, workplace physicians, employees of public institutions and organizations we are in contact with and private law legal entities and relevant third parties are stored and destroyed in accordance with the relevant legislation, procedure and law. Detailed explanations regarding storage and destruction are below.
12.1. Storage of Personal Data
The processing of personal data is defined in Article 3 of Law No. 6698. In Article 4 of the same law, it is regulated that the processed personal data must be relevant, limited and proportionate to the purpose for which it is processed and must be stored for the period stipulated in the relevant legislation or necessary for the purpose of processing. The processing conditions of personal data are listed in Articles 5 and 6 of Law No. 6698. Detailed explanations regarding this are written in this policy text above. Within the scope of the company's activities, personal data is stored for the period stipulated in the relevant legislation or required for our processing purposes by taking administrative and technical measures. Although processed in accordance with the provisions of the relevant law, if the storage period expires and the reasons requiring processing are eliminated, personal data is deleted, destroyed or destroyed in accordance with the legislation, ex officio or upon the request of the relevant person. The Transactions are carried out in accordance with the periods, procedures and principles specified in the Regulation on Personal Health Data and the Regulation on the Deletion, Destruction or Anonymization of Personal Data and relevant legal regulations. All operations regarding the deletion and destruction of personal data are recorded and stored in accordance with the necessary legal obligations.
12.2. Legal Reasons Requiring the Storage of Personal Data
Within the scope of this company policy, personal data processed within the scope of our company's activities are stored and kept for the period specified in the relevant legislation. Within the scope of the above-mentioned periods and secondary regulations stipulated in the laws to which individuals are subject within the scope of company activities, personal data is stored for the period specified in the law and the statute of limitations for crimes stipulated in the laws.
The limitation periods stipulated in the legal legislation to which our company is subject within the scope of its activities and Disputes that have or may arise with third parties with whom the company is in legal contact are determined by this policy by taking into account the company's corporate memory and commercial business and activities and the legitimate interests of the company and the establishment and execution processes of the contracts it has made or will make with the relevant data owners, outside the periods stipulated in the laws.
12.3. Data Processing Purposes Requiring Storage of Personal Data
The Company stores personal data for the following purposes, limited to company activities and in accordance with relevant legislation. Accordingly; The processing purposes that require the storage of personal data are determined as follows:
▪ In accordance with the relevant legislation we are subject to, to share the personal data we obtain with the Social Security Institution and other relevant public institutions and organizations, to respond to the requests of the institutions, to make the necessary notifications to the relevant public institutions and organizations, to fulfill legal obligations,
▪ Within the scope of the services we provide and company activities, to ensure the data preserved that needs to be stored according to the legislation,
▪ To confirm your identity, to confirm your legal contact with the contracted institutions within the scope of the service provided, to ensure invoicing and financial reconciliation, to make notifications to the relevant institutions and organizations arising from the legislation,
▪ To follow up on the request and complaint processes, to conduct the examinations and evaluations required for the services provided,
▪ To develop the company services, to continue corporate development activities, to continue marketing activities, to maintain the company's finance and accounting, administrative, legal, technical business processes, to fulfill risk management and quality development processes,
▪ To plan and execute human resources processes, to fulfill job application processes, to create personnel files for employees, to fulfill financial obligations , to determine the company's wage policy,
▪ Establishment and execution of contracts made or to be made between our company, customers, customer employees, suppliers, service providers, employees and consultants with whom it has legal relations, relevant institutions and organizations, third parties,
▪ To provide evidence regarding the liability of proof of the company in legal disputes with third parties,
▪ To ensure communication between our company and relevant persons and organizations, to maintain the necessary processes for you to fill out physical forms, to ensure the transaction security of relevant persons,
▪ To provide the necessary information to regulatory and supervisory official institutions, private law legal entities,
▪ To ensure that invoicing, payment and delivery transactions are carried out regarding the services provided;;
▪ Monitoring the security of customers, visitors, employees and relevant third parties through camera recording system, ensuring legal, technical and commercial work safety, ensuring physical security of company buildings and annexes and their surroundings,
▪ To ensure performance evaluation and work attendance and control through personnel attendance control system within the scope of employment contracts made with employees and company interests, and to ensure control of entrances and exits of company buildings and annexes,
▪ To take all necessary technical and administrative measures within the scope of data security measures,
▪ To give information and document requested by judicial bodies and/or administrative authorities,
▪ to provide Information to Authorized Persons, Institutions and Organizations,
▪ To carrying out Finance and Accounting Affairs,
▪ To fulfill Obligations Arising from Employment Contracts and Legislation for Employees,
▪ To carrying out Extra Rights and Benefits Processes for Employees,
▪ To ensure Customer/Member Experience Improvement,
▪ To make the necessary arrangements to ensure that the processed data is up-to-date and accurate and to carry out the activities related to all these processes.
▪ To carry out advertising and marketing activities
For its purposes, your personal data is processed in accordance with the conditions and purposes determined in accordance with Articles 5 and 6 of the Law. Personal data is not used for any purpose other than the activities of our company.
12.4. Reasons Requiring Destruction of Personal Data
Personal data is deleted, destroyed or anonymized by the company in accordance with the procedures and principles stipulated in the policy, law and regulation, upon the request of the relevant person, by filling out the application form, for the reasons specified below. Accordingly, personal data is destroyed for the following reasons:
▪ In case the purpose requiring the processing or storage of personal data by the company is eliminated.
▪ In case the relevant legislative provisions that form the basis for the processing of personal data are changed or repealed.
▪ In cases the relevant person withdraws his/her explicit consent which the processing of personal data by the company is carried out only on the basis of explicit consent,
▪ In case the application made by the relevant person to the company within the scope of his/her application rights pursuant to Article 11 of the Personal Data Protection Law No. 6698, regarding the deletion and destruction of his/her personal data is accepted by the Personal Data Protection Authority,
▪ In cases where the Personal Data Protection Authority rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his/her personal data, or finds the response insufficient or does not respond within the period stipulated in Law No. 6698;
If the relevant person files a complaint with the Personal Data Protection Board and this request is approved by the Personal Data Protection Board.
▪ In accordance with the relevant legal regulation, the maximum period requiring the storage of personal data has passed and there is no reason to store personal data.
13. PRINCIPLES REGARDING THE TRANSFER OF PERSONAL DATA
Personal data of the relevant persons are processed by our Company in accordance with Article 8 titled “Data Transfer” of the Personal Data Protection Law No. 6698. According to this article of the law, personal data is transferred to third parties if the data processing conditions in Articles 5 and 6 of Law No. 6698 are met. If the data processing conditions in Articles 5 and 6 of the Law are not met, data is transferred to third parties with the explicit consent of the relevant persons.
Data transfer between relevant departments within our company is not considered as data transfer within the meaning of Article 8 of the KVKK, and such data transfer is not subject to any conditions.
In order for it to be considered as personal data transfer under the conditions stipulated by the law, our company must have transferred data to another company or to 3rd parties that do not work within the our company. Our company does not transfer data from e-mail addresses based abroad (such as Gmail, Yahoo, etc.). In cases where situations requiring personal data transfer arise, a local data-based e-mail address is used. The programs in which files are kept, stored and backed up by our company are local data-based systems. Our company takes utmost care not to transfer data abroad. Our company does not transfer data abroad.
14. TECHNICAL AND ADMINISTRATIVE MEASURES REGARDING PROCESSING, STORAGE AND DESTRUCTION OF PERSONAL DATA
In the processing of personal data, all principles set out in the law, especially the general principles set out in Article 4 of the Law, are taken into consideration. The necessary physical, technical and administrative measures are taken by the company employees to prevent unauthorized persons from being present in sections such as counters and desks, and to prevent service recipients in close proximity from hearing, seeing, learning or obtaining each other's personal data.
Within the scope of the regulations determined by this policy, in order to store personal data securely and legal, to prevent unlawful processing and access, to prevent data leaks and to destroy personal data in accordance with the law, The following technical and administrative measures are taken by the company as the data controller in accordance with the necessary sufficient measures determined and announced by the Personal Data Protection Board with the aim of ensuring Article 6/4 of the Personal Data Protection Law No. 6698 that "In the processing of special personal data, it is also necessary to take sufficient measures determined by the Board" and in order to ensure the security of Personal Data specified in Article 12 of the same law.
14.1. Technical Measures:
The technical measures to be taken by the Personal Data Protection Authority are announced on https://www.kvkk.gov.tr. The necessary measures are taken by the company as the data controller regarding the technical measures announced by the Personal Data Protection Authority.
14.2 Administrative Measures:
By sending a notarized or registered letter to our company address or by corresponding via our company e-mail address, everyone can apply to our company, which is the data controller, and use the rights stipulated in Article 11 of the Law regarding themselves. In applying to our company, which is the data controller, the provisions of Article 13 of the Law and the Communiqué on the Procedures and Principles of Application to the Data Controller are enforced. In fulfilling the obligation to inform, the provisions of Article 10 of the Law and the "Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Inform" are applied. The necessary administrative measures have been taken by the company regarding the administrative measures declared by the Personal Data Protection Board. The company has taken the necessary decisions as an institution within the scope of compliance with the Law on the Protection of Personal Data No. 6698 and the company has fulfilled its obligations under the law and has created and announced the policies that need to be published..
The company has determined the personal data protection, processing, storage and destruction policy and the data contact person within the company, and the implementation of this policy is ensured by the KVK committee. Necessary awareness studies have been initiated in order to prevent the unlawful processing of personal data to improve the qualifications of employees, to prevent unlawful access to personal data, and to ensure the preservation of personal data. The KVK Data Contact Person and the KVK committee have been determined, and their authorities, duties and responsibilities also have been defined. Studies have been initiated to fulfill the storage and destruction requirements regarding personal data. ecessary actions have been taken to ensure compliance with the KVK Law. Company contracts and texts containing personal data are scanned and made compliant with the KVKK.
15. EXPLANATIONS ON PERSONAL DATA DESTRUCTION TECHNIQUES
Personal data processed by our company will be destroyed at the end of the period stipulated in the relevant legislation or the required retention period for the purpose for which they are processed. The destruction process is carried out by the authorized units of the company on its own or upon the application of the relevant personal data owner to our company, in accordance with the Personal Data Protection Law No. 6698 and the relevant legislation, using the methods and techniques specified below.
15.1. Deletion of Personal Data
▪ Personal Data on the Server Where Data is Recorded: For personal data on servers whose storage period has expired, the access authorization of the relevant users is removed by the system administrator and the deletion process is carried out.
▪ Personal Data in Electronic Media: Personal data in electronic media whose storage period has expired, is rendered inaccessible and non-reusable by all employees (relevant users) except for the database administrator.
▪ Personal Data in Physical Media: Personal data kept in physical media that require storage is rendered inaccessible and non-reusable by all employees except for the unit manager responsible for the document archive. In addition, a blackout process is applied by drawing/painting/erasing it so that it cannot be read.
▪ Personal Data on Portable Media: Personal data kept in flash-based storage media whose storage period has expired are encrypted by the system administrator and access authorization is granted only to the system administrator and stored in secure environments with encryption keys.
15.2. Destruction of Personal Data
▪ Personal Data in Physical Media: Personal data in paper media whose storage period has expired are destroyed in paper shredders in a way that cannot be recycled.
▪ Personal Data in Optical-Magnetic Media: Personal data in optical and magnetic media whose storage period has expired are subjected to physical destruction processes such as melting, burning or pulverization. In addition, magnetic media is exposed to a high-value magnetic field using a special device, rendering the data on it unreadable.
15.3. Anonymization of Personal Data
Anonymization of personal data is the process of making the person's identity in question incapable of being identified or identifiable, even when matching personal data with data belonging to other third parties, and thus rendering it incapable of being linked to a natural person in any way. Anonymization of personal data is the process of returning personal data by the data controller or third parties. Another method is to make personal data incapable of being linked/associated with a natural person in question, even by using techniques appropriate for the recording medium and relevant field of activity, such as matching personal data with other data.
16. PERSONAL DATA STORAGE AND DESTRUCTION PERIOD
The Company stores the personal data it processes within the scope of the policy and relevant legislation according to the category of data processed, for the periods stipulated in the relevant legislation or required by the purpose of processing, and in accordance with the procedures and principles determined by the Personal Data Protection Law and this policy. The retention and destruction periods of personal data have been determined by taking into account the legitimate interests of the Company and the processes of establishing and executing contracts made or to be made with the relevant data owner, as well as lawsuits and legal transactions that may be filed. Our Company stores personal data held within the scope of its activities for the period specified in the relevant legislation or required for the purpose for which the personal data is processed, depending on the nature of the data processed. Regarding the processed personal data, it is first determined whether a period is stipulated in the relevant legislation for the storage of personal data. Then, personal data is stored in accordance with the specified period. If no period is stipulated, the processed personal data is stored for the period required for the purpose for which it is processed and determined in accordance with the policies implemented by our Company.
17. DATA CONTROLLER'S OBLIGATION TO INFORM (Responsibility of İnform)
Our company pays utmost attention to the processing and protection of your personal data in accordance with the Personal Data Protection Law No. 6698 (“KVKK”). As the data controller; all necessary technical and administrative measures have been taken to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data. In accordance with Article 10 of the Law; we are informing you with the policies and information text created to cover personal data of customers receiving service, customer employees, visitors and our employees, suppliers, service providers and their managers and employees, business/solution partners, workplace physicians, company partners, employees of public institutions and organizations we are in contact with and private law legal entities and relevant third parties. In accordance with the said information obligation, the information that needs to be notified to personal data owners is stated below as listed in the law:
1. The identity of the data controller and, if applicable, their representative,
2. The purpose for which personal data will be processed,
3. To whom and for what purpose the processed personal data can be transferred,
4. The method and legal reason for collecting personal data,
5. The application and other rights listed in Article 11 of the Personal Data Protection Law.
18. RIGHTS OF THE PERSONAL DATA OWNER (RIGHT TO APPLY)
Within the scope of Article 11 of the Personal Data Protection Law No. 6698, which "regulates the rights of the relevant person" and According to the Communiqué on the Procedures and
Principles of Application to the Data Controller, you can apply to our company as the data controller by sending an e-mail to the e-mail address published on the website http://www.capriswing.com/ or You can apply by writing a notarized letter or registered letter to our address.
18.1. Right of Application of the Personal Data Owner
In accordance with Article 11 of the Law, everyone has the following rights regarding themselves by applying to the data controller:
1. To learn whether personal data has been processed,
2. To request information if personal data has been processed,
3. To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
4. To know the third parties to whom personal data is transferred domestically or abroad,
5. To request correction of personal data if they are processed incompletely or incorrectly,
6. To request deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the KVKK,
7. In case of correction, deletion or destruction of personal data, to request that these operations be notified to third parties to whom personal data has been transferred,
8. To object to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,
9. To request compensation for damages incurred due to unlawful processing of personal data,
18.2. Procedure, period and principles for the Data Controller to Respond to Applications
Pursuant to Article 13/1 of the Personal Data Protection Law No. 6698, you must submit your applications to our company in writing or through the methods specified above as determined by the Personal Data Protection Institution. Our company will finalize your requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee specified in the tariff determined by the Board will be requested. In this context, if the application of the relevant person is answered in writing, no fee will be charged for up to ten pages, and a transaction fee of 1 TL will be charged for each page over ten pages. If the response to the application is given on an electronic recording medium such as a CD or flash drive, the fee that may be requested by our company will not exceed the amount of the cost required by the recording medium. If the application is caused by the mistake of the data controller, the fee received will be returned to the relevant person.
18.3. The Right of the Personal Data Owner to Complain to the Board
In cases where the application is rejected, the response is found insufficient or the application is not responded to in a timely manner, the relevant person may lodge a complaint with the Board within thirty days from the date of learning of the response of the data controller and, in any case, within sixty days from the date of application. In accordance with Article 13 of the Law, a complaint cannot be filed without applying to the application procedure.
19. SITUATIONS WHERE THE PERSONAL DATA OWNER CANNOT ASK FOR HIS RIGHTS
Pursuant to Article 28/1 of the Personal Data Protection Law No. 6698, the following issues are excluded from the scope of application of the law (exceptions). Personal data owners cannot assert their rights listed in Article 16 above.
Exceptions:
▪ Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that data security obligations are complied with.
▪ Processing of personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
▪ Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public safety, public order, economic security, privacy of private life or personal rights or do not constitute a crime.
▪ Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
▪ Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or execution procedures. Article 28/2 of the Personal Data Protection Law No. 6698.
Pursuant to Article 28/2 of the Personal Data Protection Law No. 6698 and Provided that it is in accordance with and proportionate to the purpose and basic principles of this law, Article 10, which regulates the data controller's obligation to inform, Article 11, which regulates the rights of the relevant person, excluding the right to demand compensation for damages,and the rights specified in Article 16, which regulates the obligation to register in the Data Controllers Registry, does not apply in the following cases:
▪ Personal data processing is necessary for the prevention of a crime or for a criminal investigation.
▪ Processing of personal data made public by the relevant person.
▪ Personal data processing is necessary for the performance of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations with the status of public institution, based on the authority granted by law.
▪ Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.
20. PERIODIC DESTRUCTION AND AUDIT PERIOD OF PERSONAL DATA
The periods for deleting, destroying or anonymizing personal data ex officio are regulated in Article 11 of the Regulation as written below. Accordingly; the data controller who has prepared the personal data storage and destruction policy deletes, destroys or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises. The time period for periodic destruction is determined by the data controller in the personal data storage and destruction policy. Accordingly, the destruction periods in our company have been decided as January 1 and June 1.
21. DELETION AND DESTRUCTION PERIODS UPON THE APPLICATION OF THE PERSON CONCERNED
The periods for erasing and destroying personal data upon the application of the relevant person are regulated in Article 12 of the Regulation as written below. Accordingly; if all the conditions for processing personal data have been eliminated, the data controller shall delete, destroy or anonymize the personal data subject to the request. The data controller shall finalize the request of the relevant person within thirty days at the latest and inform the relevant person. If all the conditions for processing personal data have been eliminated and the personal data subject to the request have been transferred to third parties, the data controller shall notify the third party of this situation. The data controller also shall ensure that the necessary procedures are carried out within the scope of this Regulation with the third party. If all the conditions for processing personal data have not been eliminated, this request may be rejected by the data controller by explaining the reason in accordance with the third paragraph of Article 13 of the Law and the rejection shall be notified to the relevant person in writing or electronically within thirty days at the latest.
22. PUBLISHING, STORING AND UPDATING THE COMPANY POLICY
This policy prepared by the company is published with wet-ink signature (printed paper). The printed paper copy is kept in the KVKK file by the data contact person. This policy is reviewed by the designated data contact person/KVK committee within the scope of their authority and responsibility, as needed, once a year at the end of each year, from the date of publication, and the relevant sections will be updated as necessary. This policy is also published on the company's website.
23. ENFORCEMENT AND REPEAL OF THE POLICY
This policy written in articles above shall be deemed to have entered into force after its publication on the company's website. In the event that it is decided to repeal the policy with the approval of the data controller and the decision of the personal data contact person, the old copies of the policy with wet-ink signature shall be canceled by the data contact person and signed by the data contact person (by stamping or writing cancellation) and kept by the personal data contact person in the relevant unit for at least 5 years.