Protection of personal data, Gürel Tekstil San. And Trade. Ltd. It is among the most important priorities of Şti. (“Company”). The most important part of this issue is the protection and processing of the personal data of our employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, which are governed by this Policy.
T.R. According to the Constitution, everyone has the right to request the protection of their personal data. Regarding the protection of personal data, which is a right guaranteed by the Constitution, the company is governed by this Policy; It pays due attention to the protection of the personal data of employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions it cooperates with, and third parties, and makes this a Company policy.
In this context, the company takes the necessary administrative and technical measures to protect personal data processed within the framework of legal legislation.
In this Policy, the basic principles adopted by the company in the processing of personal data are as follows;
Processing personal data in accordance with the law and the rules of honesty,
Keeping personal data accurate and updated when necessary,
Processing personal data for specific, clear and legitimate purposes,
Limited and measured processing of personal data in connection with the purpose for which they are processed,
Keeping personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed,
Enlightening and informing personal data owners,
Establishing the necessary system for personal data owners to exercise their rights,
Taking necessary precautions to preserve personal data,
Acting in accordance with the relevant legislation and KVK Board regulations in transferring personal data to third parties in line with the requirements of the processing purpose,
To show the necessary sensitivity to the processing and protection of special personal data.
ARTICLE 1: PURPOSE OF THE POLICY
The main purpose of the policy is the personal data processing activity carried out by the company in accordance with the law, and in this context, the personal data of our customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with and third parties. To ensure transparency and trust by informing people processed by our company.
ARTICLE 2: CONTENT AND DEFINITIONS
This Policy; It relates to all personal data of our employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties, processed automatically or non-automatically as part of any data recording system.
The scope of application of this Policy for groups of personal data owners in the above-mentioned categories may be the entire Policy; It could be just some of it.
The definitions of the concepts included in this policy text are as follows:
Recipient group: Category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit consent: Consent regarding a specific issue, based on being informed and expressed with free will.
Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
Employee: Company personnel
Electronic environment: Environments where personal data can be created, read, changed and written with electronic devices.
Non-electronic media: All written, printed, visual, etc. other than electronic media. other media
Service provider: Real or legal person who provides services within the framework of a specific contract with the institution.
Relevant person: Natural person whose personal data is processed
Relevant user: Persons who process personal data within the data controller organization or in line with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymization of personal data
Law: Personal Data Protection Law No. 6698
Recording medium: Any environment where personal data is processed by fully or partially automatic or non-automatic means, provided that it is part of any data recording system.
Personal data: Any information regarding an identified or identifiable natural person.
Personal data processing inventory: Personal data processing activities carried out by data controllers depending on their business processes; The purposes and legal reason for processing personal data, the data category, the transferred recipient group and the data subject group, and the processing of personal data.
They detail the inventory by explaining the maximum retention period required for their intended purposes, the personal data intended to be transferred to foreign countries, and the measures taken regarding data security.
Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action taken on the data, such as preventing its use or
Board: Personal Data Protection Board
Personal data of special nature: Data regarding people’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric data. and genetic data
Periodic destruction: In case all the conditions for processing personal data specified in the law are eliminated, the deletion, destruction or anonymization process specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals.
Policy: Personal Data Storage and Destruction Policy
Company: Gürel Tekstil San. And Trade. LLC.
Data processor: Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data recording system: The recording system in which personal data is structured and processed according to certain criteria.
Data controller: Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data controllers registry information system: The information system created and managed by the Presidency, accessible over the internet, to be used by data controllers in applying to the Registry and other relevant transactions related to the Registry.
VERBIS: Data Controllers Registry Information System
Regulation: Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017
ARTICLE 3: IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
The relevant legal regulations in force regarding the processing and protection of personal data will primarily be applied. In case of incompatibility between the current legislation and the Policy, our Company accepts that the current legislation will apply.
The policy is created by concretizing and regulating the rules set forth by the relevant legislation within the scope of Company practices.
ARTICLE 4: ENFORCEMENT OF THE POLICY
This Policy issued by our Company enters into force on the day it is published on our website. If there is any innovation or change in the policy, the effective date will be updated.
The Policy is published on our Company’s website and made available to relevant persons upon the request of personal data owners.
ARTICLE: 5 ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA
In accordance with Article 12 of the KVKK, our company takes all the necessary administrative, technical and legal measures to prevent the unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure appropriate security to ensure the preservation of the data, and carries out all necessary inspections in this context. provides.
ARTICLE 6: ENSURING THE SECURITY OF PERSONAL DATA
6.1 Technical and Administrative Measures Taken to Ensure Lawful Processing of Personal Data
Our company takes technical and administrative measures according to technological possibilities and implementation costs to ensure that personal data is processed in accordance with the law.
Technical Measures Taken to Ensure Lawful Processing of Personal Data
The main technical measures taken by our company to ensure the lawful processing of personal data are listed below:
Personal data processing activities carried out within our company are audited by established technical systems.
The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism.
Technically knowledgeable personnel are employed.
Administrative Measures Taken to Ensure Lawful Processing of Personal Data
The main administrative measures taken by our company to ensure the lawful processing of personal data are listed below:
Employees are informed and trained about personal data protection law and the lawful processing of personal data.
All activities carried out by our company are analyzed in detail for all business units, and as a result of this analysis, personal data processing activities are revealed specific to the commercial activities carried out by the relevant business units.
Personal data processing activities carried out by our company’s business units; These activities are subject to personal data processing required by Law No. 6698.
The requirements to be met to ensure compliance with the terms and conditions are determined specifically for each business unit and the detailed activity it carries out.
In order to ensure that our business units meet the legal compliance requirements, awareness is created and implementation rules are determined for the relevant business units; Necessary administrative measures to ensure the control of these issues and the continuity of the application are implemented through internal policies and trainings.
Records that impose the obligation not to process, disclose or use personal data, except for the Company’s instructions and exceptions imposed by law, are included in the contracts and documents governing the legal relationship between our Company and employees, and employees’ awareness on this issue is created and inspections are carried out.
6.2 Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data
Our company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities and implementation costs in order to prevent personal data from being disclosed, accessed, transferred without care or unauthorized, or any other unlawful access.
Technical Measures Taken to Prevent Illegal Access to Personal Data
The main technical measures taken by our company to prevent unlawful access to personal data are listed below:
Technical measures are taken in accordance with the developments in technology, and the measures taken are periodically updated and renewed.
Access and authorization technical solutions are implemented in accordance with legal compliance requirements determined on a business unit basis.
The technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, and the issues that pose a risk are re-evaluated and the necessary technological solutions are produced.
Software and hardware including virus protection systems and firewalls are installed.
Technically knowledgeable personnel are employed.
Administrative Measures Taken to Prevent Unlawful Access to Personal Data
The main administrative measures taken by our company to prevent unlawful access to personal data are listed below:
Employees are trained on the technical measures to be taken to prevent unlawful access to personal data.
Access to personal data and authorization processes are designed and implemented within the Company in accordance with business unit-based legal compliance requirements.
Employees are informed that they cannot disclose the personal data they have learned to anyone else in violation of the provisions of the Personal Data Protection Law or use it for purposes other than the purpose of processing, and that this obligation will continue after they leave office, and the necessary commitments are taken from them in this regard.
Contracts concluded by our company with persons to whom personal data is transferred in accordance with the law; Provisions are added stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.
6.3 Storing Personal Data in Secure Environments
Our company takes the necessary technical and administrative measures, according to technological possibilities and implementation costs, to store personal data in secure environments and to prevent their destruction, loss or alteration for unlawful purposes.
Technical Precautions Taken to Store Personal Data in Secure Environments
The main technical measures taken by our company to store personal data in secure environments are listed below:
Systems compatible with technological developments are used to store personal data in secure environments.
Personnel specialized in technical matters are employed.
Technical security systems are established for hiding areas, the technical measures taken are periodically reported to the relevant person in accordance with the internal audit mechanism, risky issues are re-evaluated and the necessary technological solutions are produced.
Backup programs are used in accordance with the law to ensure that personal data is stored safely.
Administrative Measures Taken to Store Personal Data in Secure Environments
The main administrative measures taken by our company to store personal data in secure environments are listed below:
Employees are trained to ensure that personal data is stored securely.
In case our company receives an external service due to technical requirements regarding the storage of personal data, the contracts concluded with the relevant companies to which the personal data are transferred in accordance with the law; Provisions are included stating that the persons to whom personal data are transferred will take the necessary security measures to protect personal data and ensure that these measures are complied with in their own organizations.
6.4 Protection of Personal Data
Audit of the Measures Taken in the
Our company carries out or has the necessary inspections carried out within its own structure in accordance with Article 12 of the KVKK. These audit results are reported to the relevant unit within the scope of the internal functioning of the company and the necessary activities are carried out to improve the measures taken.
6.5 Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
Our company will ensure that if personal data processed in accordance with Article 12 of the KVKK is obtained by others through illegal means, this situation will be reported to the relevant personal data owner and the KVK Board as soon as possible.
If deemed necessary by the KVK Board, this situation may be announced on the KVK Board’s website or by another method.
ARTICLE 7: RESERVATION OF DATA OWNER’S RIGHTS; CREATION OF CHANNELS TO TRANSMIT THESE RIGHTS TO OUR COMPANY AND EVALUATION OF THE DATA HOLDER’S REQUESTS
Our company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and provide the necessary information to personal data owners.
If personal data owners submit their requests regarding their rights listed below to our Company in writing, our Company finalizes the request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, our Company will charge the fee in the tariff determined by the KVK Board. Personal data owners;
Learning whether personal data is processed or not,
Requesting information if personal data has been processed,
Learning the purpose of processing personal data and whether they are used for their intended purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting correction of personal data in case personal data has been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the KVK Law and other relevant legal provisions, and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,
In case of damage due to unlawful processing of personal data, they have the right to demand compensation for the damage.
More detailed information about the rights of data owners is included in this Policy.
ARTICLE:8 PROTECTION OF SPECIAL PERSONAL DATA
With the Personal Data Protection Law, special importance has been attached to certain personal data due to the risk of causing victimization or discrimination to individuals if processed unlawfully.
These data; Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
Our company acts with care in protecting special personal data, which are determined as “special nature” by the Personal Data Protection Law and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company to protect personal data are carefully implemented in terms of special personal data and the necessary inspections are provided within the company.
Detailed information about the processing of sensitive personal data is included in this Policy.
ARTICLE: 9 INCREASING THE AWARENESS AND AUDIT OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
Our company organizes the necessary training for business units to raise awareness on preventing unlawful processing of personal data, unlawful access to data, and ensuring the preservation of data.
Necessary systems are established to raise awareness of the current employees of the company’s business units and the newly recruited employees about the protection of personal data, and we work with professionals if necessary.
ARTICLE 10: INCREASING THE AWARENESS AND AUDIT OF BUSINESS PARTNERS AND SUPPLIERS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
Our company organizes trainings and seminars for business partners to prevent unlawful processing of personal data, prevent unlawful access to data, and raise awareness about ensuring the preservation of data.
The trainings carried out for the company’s business partners are repeated periodically, and the current employees of the business partners and the newly recruited employees of the business unit are trained.
Necessary systems are established to raise people’s awareness about the protection of personal data, and we work with professionals if necessary.
The results of the training carried out to raise awareness of the company’s business partners about the protection and processing of personal data are reported to the holding. In this regard, our company evaluates the participation in relevant trainings, seminars and information sessions and carries out the necessary inspections or has them carried out. Our company updates and renews its training in parallel with the update of the relevant legislation.
ARTICLE 11: ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA
Our company, in accordance with Article 20 of the Constitution and Article 4 of the KVK Law, regarding the processing of personal data; In accordance with the law and the rules of honesty; accurate and up to date when necessary; Pursuing specific, clear and legitimate purposes; engages in personal data processing in a limited and measured manner in connection with the purpose. Our company retains personal data for the period stipulated by law or required by the purpose of processing personal data.
In accordance with Article 20 of the Constitution and Article 5 of the KVK Law, our company processes personal data based on one or more of the conditions in Article 5 of the KVK Law regarding the processing of personal data.
Our company informs personal data owners in accordance with Article 20 of the Constitution and Article 10 of the Personal Data Protection Law and provides the necessary information if personal data owners request information.
Our company complies with the regulations stipulated in the processing of special personal data in accordance with Article 6 of the KVK Law.
In accordance with Articles 8 and 9 of the KVK Law, our company complies with the regulations stipulated in the law and put forward by the KVK Board regarding the transfer of personal data.
ARTICLE 12: PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES PROVIDED IN THE LEGISLATION
12.1 Processing in accordance with the Law and the Rules of Honesty
Our company; It acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than what is required.
12.2 Ensuring Personal Data is Accurate and Up-to-Date Where Necessary
Our company; It ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests. It takes the necessary measures in this regard.
12.3 Processing for Specific, Clear and Legitimate Purposes
Our company clearly and precisely determines the purpose of processing personal data that is legitimate and lawful. Our company processes personal data in connection with the service it offers and as much as is necessary for them.
12.4 Being Related to the Purpose for Processing, Limited and Proportionate
Our company processes personal data in a manner suitable for achieving the specified purposes and avoids the processing of personal data that is not relevant or needed to achieve the purpose. For example, personal data processing activities are not carried out to meet needs that may arise later.
12.5 Preservation for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed
Our company retains personal data only for the period specified in the relevant legislation or necessary for the purpose for which they are processed. In this context, our Company first determines whether a period of time is prescribed for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if a period is not determined, it stores personal data for the period necessary for the purpose for which they are processed. If the period expires or the reasons requiring processing disappear, personal data is deleted, destroyed or anonymized by our Company. Personal data is not stored by our Company for possible use in the future. Detailed information on this subject is included in this Policy.
ARTICLE 13: PROCESSING OF PERSONAL DATA BASED ON ONE OR MORE OF THE PERSONAL DATA PROCESSING CONDITIONS SPECIFIED IN ARTICLE 5 OF KVKK AND LIMITED TO THESE TERMS
Protection of personal data is a Constitutional right. Fundamental rights and freedoms can only be limited by law, without affecting their essence, and only for the reasons specified in the relevant articles of the Constitution. In accordance with the third paragraph of Article 20 of the Constitution, personal data can only be processed in cases stipulated by law or with the explicit consent of the person. Our company, in this direction and in accordance with the Constitution; It processes personal data only in cases stipulated by law or with the express consent of the person. Detailed information on this subject is included in this Policy.
ARTICLE 14: CLARIFICATION AND INFORMATION OF THE PERSONAL DATA OWNER
DOWNLOAD
Our company informs personal data owners during the collection of personal data in accordance with Article 10 of the KVK Law. In this context, it clarifies the identity of the Holding and its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the personal data owner. Detailed information on this subject is included in this Policy.
Article 20 of the Constitution states that everyone has the right to be informed about their personal data. In this regard, Article 11 of the KVK Law includes “requesting information” among the rights of the personal data owner. In this context, our company provides the necessary information if the personal data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the KVK Law. Detailed information on this subject is included in this Policy.
ARTICLE 15: PROCESSING OF SPECIAL PERSONAL DATA
Our company strictly complies with the regulations stipulated in the KVK Law in the processing of personal data determined as “special nature” by the KVK Law.
In Article 6 of the KVK Law, some personal data that poses the risk of causing victimization or discrimination when processed unlawfully are designated as “special nature”. These data; Data regarding race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
By our Company in accordance with the KVK Law; Special categories of personal data are processed in the following cases, provided that adequate measures are taken to be determined by the KVK Board:
If the personal data owner has explicit consent or
If there is no explicit consent of the personal data owner;
Special categories of personal data, other than the health and sexual life of the personal data owner, in cases stipulated by law,
Special personal data regarding the health and sexual life of the personal data owner can only be used by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. It is processed by.
ARTICLE 16: TRANSFER OF PERSONAL DATA
Our company can transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, business partners, third real parties) by taking the necessary security measures in line with the legal personal data processing purposes. In this regard, our company acts in accordance with the regulations stipulated in Article 8 of the KVK Law. Detailed information on this subject is included in this Policy.
16.1 Transfer of Personal Data
Our company may transfer personal data to third parties in line with legitimate and lawful personal data processing purposes, based on one or more of the personal data processing conditions specified in Article 5 of the Law listed below:
If the personal data owner has explicit consent;
If there is a clear regulation in the law regarding the transfer of personal data,
If it is necessary to protect the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not given legal validity;
If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for our company to fulfill its legal obligations,
If personal data has been made public by the personal data owner,
If personal data transfer is mandatory for the establishment, exercise or protection of a right,
If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
16.2 Transfer of Special Personal Data
Our company takes the necessary care, takes the necessary security measures and takes the adequate precautions prescribed by the KVK Board; In line with legitimate and lawful personal data processing purposes, the personal data owner’s special data may be transferred to third parties in the following cases.
If the personal data owner has explicit consent or
If there is no explicit consent of the personal data owner;
Special personal data other than the health and sexual life of the personal data owner (data regarding race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures) biometric and genetic data), prescribed by law
in knitted cases,
Special personal data regarding the health and sexual life of the personal data owner can only be used by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. by.
ARTICLE 17: TRANSFER OF PERSONAL DATA ABROAD
Our company can transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the legal personal data processing purposes. Personal data by our company; To foreign countries that have been declared to have adequate protection by the KVK Board (“Foreign Country with Adequate Protection”) or, in case there is no sufficient protection, to foreign countries where the data controllers in Turkey and the relevant foreign country have committed in writing to adequate protection and have the permission of the KVK Board. (“Foreign Country Where the Data Controller Committed to Adequate Protection is Located”) is transferred. In this regard, our company acts in accordance with the regulations stipulated in Article 9 of the KVK Law. Detailed information on this subject is included in this Policy.
17.1 Transfer of Personal Data Abroad
Our company may transfer personal data to Foreign Countries Where the Data Controller Has Adequate Protection or Commits to Adequate Protection, if there is the express consent of the personal data owner in line with legitimate and lawful personal data processing purposes, or if there is no explicit consent of the personal data owner, in case of one of the following situations:
If there is a clear regulation in the law regarding the transfer of personal data,
If it is necessary to protect the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to express his/her consent due to actual impossibility or if his/her consent is not given legal validity;
If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for our company to fulfill its legal obligations,
If personal data has been made public by the personal data owner,
If personal data transfer is mandatory for the establishment, exercise or protection of a right,
If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
17.2 Transfer of Special Personal Data Abroad
Our company takes the necessary care, takes the necessary security measures and takes the adequate precautions prescribed by the KVK Board; In line with legitimate and lawful personal data processing purposes, the special data of the personal data owner may be transferred to Foreign Countries Where the Data Controller Has Sufficient Protection or Undertakes Adequate Protection is located in the following cases.
If the personal data owner has explicit consent or
If there is no explicit consent of the personal data owner;
Special personal data other than the health and sexual life of the personal data owner (data regarding race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures and biometric and genetic data), in cases stipulated by law,
Special personal data regarding the health and sexual life of the personal data owner can only be used by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing. within the scope of processing by.
ARTICLE 18: CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING AND STORAGE PERIOD
In accordance with Article 10 of the KVK Law, our company informs the personal data owner which personal data owner groups it processes, the purposes of processing the personal data of the personal data owner and the storage periods within the scope of the obligation to inform.
ARTICLE 19: CATEGORIZATION OF PERSONAL DATA
Before our company, the relevant persons are informed in accordance with Article 10 of the KVK Law, and based on one or more of the personal data processing conditions specified in Article 5 of the KVK Law, in line with our Company’s legitimate and lawful personal data processing purposes, primarily in accordance with the KVK Law. Personal data in the following categories are processed, limited to the subjects within the scope of this Policy, in compliance with the general principles specified in the KVK Law, including the principles specified in Article 4 regarding the processing of personal data, and all obligations regulated in the KVK Law. The personal data processed in these categories are related to which data owners are regulated within the scope of this Policy.
It is also stated in this Policy that
IDENTITY INFORMATION; Processed partially or fully automatically or non-automatically as part of the data recording system, clearly belonging to an identified or identifiable natural person; All information contained in documents such as Driving License, Identity Card, Residence, Passport, Lawyer ID, Marriage Certificate.
COMMUNICATION INFORMATION; Processed partially or fully automatically or non-automatically as part of the data recording system, clearly belonging to an identified or identifiable natural person; Information such as phone number, address and e-mail.
CUSTOMER INFORMATION; Processed partially or fully automatically or non-automatically as part of the data recording system, clearly belonging to an identified or identifiable natural person; Information obtained and produced about the relevant person as a result of our commercial activities and the operations carried out by our business units within this framework.
PHYSICAL SPACE SECURITY INFORMATION; Personal data related to records and documents taken during the entrance to the physical location and during the stay in the physical location, which are clearly belonging to an identified or identifiable natural person and are included in the data recording system.
PROCESSING SAFETY INFORMATION; Clearly belongs to an identified or identifiable natural person and is included in the data recording system; Your personal data processed to ensure our technical, administrative, legal and commercial security while carrying out our commercial activities.
RISK MANAGEMENT INFORMATION; It is clear that it belongs to an identified or identifiable natural person and is included in our data risk recording system; Data that can be used and processed in accordance with generally accepted legal, commercial customs and honesty rules in these areas so that we can manage our commercial, technical and administrative management.
FINANCIAL INFORMATION: Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship our company has established with the personal data owner.
PERSONAL INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; All kinds of personal data processed to obtain information that will be the basis for the formation of the personal rights of our employees or natural persons who have a working relationship with our Company.
EMPLOYEE CANDIDATE INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Personal data processed regarding individuals who have applied to become employees of our Company or who have been evaluated as employee candidates in line with the human resources needs of our company in accordance with commercial practices and honesty rules, or who are in a working relationship with our Company.
EMPLOYEE TRANSACTION INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Personal data processed regarding any business-related transactions carried out by our employees or natural persons who have a working relationship with our company.
WORK PERFORMANCE AND CAREER DEVELOPMENT INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Data processed for the purpose of measuring the performance of our employees or real persons who have a working relationship with our Company and planning and executing their career development within the scope of our company’s human resources policy.
SIDE RIGHTS AND BENEFITS INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Your personal data processed for planning the fringe rights and benefits we offer and will offer to employees or other real persons who have a working relationship with our Company, determining objective criteria for entitlement to these, and tracking their progress payments.
LEGAL PROCEDURES AND COMPLIANCE INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Your personal data processed within the scope of determining and pursuing our legal receivables and rights and fulfilling our debts, as well as compliance with our legal obligations and our company’s policies.
AUDIT AND INSPECTION INFORMATION; An identified or identifiable person
r clearly belonging to a natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Your personal data processed within the scope of our company’s legal obligations and compliance with company policies.
SPECIAL PERSONAL DATA; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Data specified in Article 6 of Law No. 6698.
REQUEST/COMPLAINT MANAGEMENT INFORMATION; Clearly belonging to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system; Personal data regarding the receipt and evaluation of any requests or complaints directed to our company.
ARTICLE 20: PURPOSES OF PROCESSING PERSONAL DATA
According to the categorization prepared by our Company, the main purposes for processing personal Data are shared below:
Carrying out the necessary work by our relevant business units in order to realize the commercial activities carried out by our company and carrying out the related business processes,
Planning and execution of our company’s commercial and/or business strategies,
Carrying out the necessary work by our business units and carrying out the relevant processes to enable relevant people to benefit from the products and services offered by our company,
Planning and executing our company’s human resources policies and processes,
Ensuring the legal, technical and commercial occupational safety of the relevant persons who have a business relationship with our Company.
The data processing purposes within the scope of the main purposes listed above are as follows:
Event Management
Planning and Execution of Research and Development Activities
Planning and Execution of Business Activities
Planning and Execution of Corporate Communication Activities
Planning and Execution of Information Security Processes
Creating and Managing Information Technologies Infrastructure
Planning and Execution of Business Partners and/or Suppliers’ Access Authorizations to Information and Facilities
Planning and Execution of Fringe Benefits and Benefits for Supplier and/or Business Partner Employees
Follow-up of Finance and/or Accounting Affairs
Planning and Execution of Logistics Activities
Management of Relationships with Business Partners and/or Suppliers
Carrying out Activities to Identify Customers’ Financial Risks
Planning and Execution of Customer Relationship Management Processes
Follow-up of Contract Processes and/or Legal Requests
Tracking of Customer Requests and/or Complaints
Planning Human Resources Processes
Conducting Personnel Recruitment Processes
Follow-up of Legal Affairs
Planning and Execution of Operational Activities Necessary to Ensure Company Activities Are Conducted in Compliance with Company Procedures and/or Relevant Legislation
Collecting Entry and Exit Records of Business Partner/Supplier Employees
Creating and Tracking Visitor Records
Planning and Execution of Company Audit Activities
Planning and/or Execution of Occupational Health and/or Safety Processes
Ensuring that the data is accurate and up-to-date
Management and/or Supervision of Relationships with Affiliates
Ensuring the Security of Company Campuses and/or Facilities
Ensuring the Security of Company Assets and/or Resources
Planning and/or Execution of Company Financial Risk Processes
Our Company requests the explicit consent of personal data owners in order to process personal data within the scope of personal data processing purposes other than the cases stated above; The following personal data processing activities are carried out by the relevant business units in accordance with the explicit consent of the personal data owners. In this context; In the absence of the above-mentioned conditions, personal data processing purposes requiring the express consent of personal data owners;
Planning and Execution of Business Partners and/or Suppliers’ Access Authorizations to Information and Facilities
Planning and Execution of Logistics Activities
Management of Relationships with Business Partners and/or Suppliers
Follow-up of Contract Processes and/or Legal Requests
Planning Human Resources Processes
Conducting Personnel Recruitment Processes
Planning and/or Execution of Customer Satisfaction Activities
Planning and Execution of Operational Activities Necessary to Ensure Company Activities Are Conducted in Compliance with Company Procedures and/or Relevant Legislation
Collecting Entry and Exit Records of Business Partner/Supplier Employees
Planning and Execution of Company Audit Activities
Planning and/or Execution of Occupational Health and/or Safety Processes
It can be listed as Ensuring the Security of Company Campuses and/or Facilities.
ARTICLE 21: STORAGE PERIOD OF PERSONAL DATA
Our company may process personal data in this regard if it is stipulated in the relevant laws and regulations.
It is stored in horses for the specified period of time.
If a period of time is not regulated in the legislation regarding how long personal data should be stored, personal data is processed for a period of time that requires processing in accordance with our Company’s practices and commercial life practices, depending on the services our company offers while processing that data, and then deleted, destroyed or anonymized. Detailed information on this subject is included in this policy.
The purpose of processing personal data has expired; If the storage periods determined by the relevant legislation and the company have come to an end; Personal data can only be stored to serve as evidence in possible legal disputes or to assert the relevant right based on personal data or to establish a defense. In establishing the periods herein, the limitation periods for asserting the mentioned right and the retention periods are determined based on the samples in the requests previously directed to our Company on the same issues, even though the limitation periods have passed. In this case, the stored personal data is not accessed for any other purpose and the relevant personal data is accessed only when it needs to be used in the relevant legal dispute. Here too, after the mentioned period expires, personal data is deleted, destroyed or anonymized.
ARTICLE 22: CATEGORIZATION REGARDING THE OWNERS OF PERSONAL DATA PROCESSED BY OUR COMPANY
Although the personal data of the categories of personal data owners listed below are processed by our company, the scope of application of this Policy is limited to our customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with and third parties.
Our employees’ personal data protection and processing activities will be evaluated under the Holding Employees Personal Data Protection and Processing Policy.
Although the categories of persons whose personal data are processed by our Company are within the scope stated above, persons outside these categories may also submit their requests to our Company within the scope of the Personal Data Protection Law; The requests of these people will also be evaluated within the scope of this Policy.
Below, the concepts of customer, potential customer, visitor, employee candidate, shareholder and board member, natural persons in the institutions we cooperate with and third parties related to these persons within the scope of this Policy are clarified.
ARTICLE 23: CATEGORIES AND EXPLANATIONS
Visitor; Real persons who have entered the physical premises owned by our company for various purposes or visited our websites.
Third Parties; Third party natural persons who are associated with these persons in order to ensure the security of commercial transactions between our company and the parties or to protect the rights of the said persons and to obtain benefits, or natural persons who are not within the scope of this policy and the company employees personal data protection and processing policy.
Employee Candidate; Real persons who have applied for a job to our company by any means or have disclosed their CV information to our company.
Company Shareholder; The shareholders of our company are real persons.
Company official; Member of the company’s board of directors and other authorized real persons.
Employees, institutions, shareholders and officials with whom we cooperate; Natural persons in institutions with which our company has all kinds of business relations (including shareholders and officials of these institutions, such as but not limited to business partners, offices, suppliers).
ARTICLE 24: THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED BY OUR COMPANY AND THE PURPOSES OF TRANSFER
Our company notifies the personal data owner of the person groups to which personal data is transferred in accordance with Article 10 of the KVKK.
In accordance with Articles 8 and 9 of the KVK Law, our company may transfer the personal data of service recipients to the following categories of persons:
Company business partners,
To company suppliers,
To company subsidiaries,
To Company Shareholders,
Legally Authorized public institutions and organizations,
To legally authorized private legal persons.
The scope of the above-mentioned persons to whom the transfer is made and the purposes of data transfer are as follows;
Limited to ensuring that the purposes for which the business partnership was established are fulfilled,
Limited to ensure that the services our company outsources from the supplier and necessary to carry out our company’s commercial activities are provided to our company,
Limited to ensuring the execution of our company’s commercial activities that require the participation of its subsidiaries,
Designing our company’s strategies and audit activities regarding its commercial activities in accordance with the legal regulations and limited to audit purposes,
legally authorized
In case public institutions and organizations request information and documents from our company within the framework of legal legislation, limited to the purpose requested within our legal powers,
In case legally authorized private legal persons request information and documents from our company within the framework of legal legislation, limited to the purpose requested within our legal powers,
In transfers made by our company, we act in accordance with the issues set out in the policy.
Our company informs the personal data owner about the personal data it processes in accordance with Article 10 of the KVK Law.
Although the legal basis for processing personal data by our company varies, all kinds of personal data processing activities are carried out in accordance with the general principles specified in Article 4 of Law No. 6698.
Explicit consent is obtained from visitors and third parties for the processing of personal data based on the express consent of the personal data owner.
The personal data of the data owner can be processed in accordance with the law if it is clearly provided for by law.
If it is necessary to process the personal data of a person who is unable to express his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself or another person, the personal data of the data owner may be processed.
It is possible to process personal data if it is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
If processing is mandatory for our company to fulfill its legal obligations as the data controller, the personal data of the data owner may be processed.
If the data owner has made his personal data public, the relevant personal data can be processed.
If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data owner may be processed (invoice, etc.).
Personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company, provided that the fundamental rights and freedoms of the personal data owner are not harmed. (for the purpose of making internal calculations, etc.)
Personal data processing activities carried out by our company at building facility entrances and within the facility are carried out in accordance with the Constitution, the Personal Data Protection Law and other relevant legislation.
In order to ensure security by our Company, personal data processing activities are carried out for monitoring guest entries and exits through security cameras in our Company’s buildings and facilities.
Personal data processing is carried out by our Company by using security cameras and recording guest entries and exits.
In this context, our Company acts in accordance with the Constitution, KVK Law and other relevant legislation. Our company, within the scope of surveillance activities with security cameras; It aims to improve the quality of the service provided, ensure its reliability, ensure the safety of the company, employees and other persons, and protect the interests of third parties regarding the service they receive. The camera monitoring activity carried out by our company is carried out in accordance with the Law on Private Security Services and relevant legislation. Our company complies with the regulations in the KVK Law when carrying out camera monitoring activities for security purposes.
Our company carries out security camera monitoring activities in order to ensure security in its buildings and facilities, for the purposes prescribed by law and in accordance with the personal data processing conditions listed in the KVK Law.
Announcement of monitoring activities by our company is made in accordance with Article 10 of the KVK Law.
In addition to providing clarification on general issues, our company also provides notifications regarding camera monitoring activities through multiple methods in accordance with the EU regulations. Thus, it is aimed to prevent harm to the fundamental rights and freedoms of the personal data owner and to ensure transparency and clarification of the personal data owner.
In accordance with Article 4 of the KVK Law, our company processes personal data in a limited and measured manner in connection with the purpose for which they are processed.
The purpose of our company’s surveillance activities with video cameras is limited to the purposes listed in this Policy. In this regard, the monitoring areas of security cameras, their number and when they will be monitored are implemented in a way that is sufficient to achieve the security goal and is limited to this purpose. It is not subject to monitoring in areas that may result in interference with a person’s privacy that exceeds security purposes (for example, toilets).
Our company carries out camera monitoring activities in accordance with Article 12 of the KVK Law.
Necessary technical and administrative measures are taken to ensure the security of the personal data obtained as a result.
Only a limited number of company employees have access to records recorded and maintained digitally. Live camera footage can be monitored by outsourced security personnel. A limited number of people who have access to the records declare with a confidentiality agreement that they will protect the confidentiality of the data they access.
By our company; Personal data processing activities are carried out to ensure security and to monitor guest entries and exits in company buildings and facilities for the purposes specified in this Policy.
While the names and surnames of people who come to the company buildings as guests are obtained, or through texts posted in the Company or made accessible to guests in other ways, the personal data owners in question are clarified in this context. The data obtained for the purpose of tracking guest entry and exit is processed only for this purpose, and the relevant personal data is recorded in the data recording system in the physical environment.
Regarding camera monitoring activities carried out by our company; This Policy is published on our company’s website (online policy regulation) and a notification letter stating that monitoring will be carried out is hung at the entrances of the areas where monitoring is carried out (on-site lighting).
On the websites owned by our company; To ensure that people visiting these sites carry out their visits on the sites in accordance with the purposes of their visit; In order to show them customized content, their internet movements within the site are recorded by technical means.
Detailed explanations regarding the protection and processing of personal data regarding these activities carried out by our company are included in the “Holding Website Privacy Policy” texts of the relevant websites.
Although our Company has processed it in accordance with the relevant legal provisions as regulated in Article 138 of the Turkish Penal Code and Article 7 of the Personal Data Protection Law, personal data will be deleted or destroyed based on our Company’s own decision or upon the request of the personal data owner, in case the reasons requiring processing are eliminated. or made anonymous. Our company fulfills this legal obligation through legal methods.
ARTICLE 25: TECHNIQUES FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
25.1 Deletion and Destruction Techniques of Personal Data
Our company may delete or destroy personal data, based on its own decision or upon the request of the personal data owner, if the reasons requiring processing are eliminated, even though it has been processed in accordance with the relevant legal provisions. The deletion or destruction techniques most used by our company are listed below:
Physical Destruction
Personal data can also be processed by non-automatic means, provided that it is part of any data recording system. When such data is deleted/destroyed, a system of physical destruction of personal data in such a way that it cannot be used later is applied.
25.1.2 Secure Deletion from Software
While data processed wholly or partially automatically and stored in digital media is deleted/destroyed; Methods are used to delete the data from the relevant software so that it cannot be recovered again.
Secure Deletion by Expert
In some cases, the company may contract with an expert to delete personal data on its behalf. In this case, personal data is securely deleted/destroyed by an expert in this field so that it cannot be recovered again.
25.2 Techniques for Anonymizing Personal Data
Anonymization of personal data means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data. Our company can anonymize personal data when the reasons requiring the processing of personal data processed in accordance with the law are eliminated.
In accordance with Article 28 of the KVK Law; Anonymized personal data may be processed for purposes such as research, planning and statistics. Such processing is outside the scope of the Personal Data Protection Law and the express consent of the personal data owner will not be required. Since personal data processed by anonymization will be outside the scope of the KVK Law, the rights set out in the Policy will not apply to this data.
The anonymization techniques most used by our company are as follows;
masking
Data masking is the method of anonymizing personal data by removing the basic identifying information of personal data from the data set.
consolidation
With the data aggregation method, many data are aggregated and personal data is made unable to be associated with any individual.
Data Derivation
Personal data derivation method
A more general content is created from the content of the data and it is ensured that personal data cannot be associated with any individual.
Data Hashing
With the data mixing method, the connection between values and individuals is broken by mixing the values in the personal data set.
Our Company informs the personal data owner of his or her rights in accordance with Article 10 of the KVK Law, guides the personal data owner on how to use these rights, and our Company complies with Article 13 of the KVK Law in order to evaluate the rights of personal data owners and provide the necessary information to personal data owners. It carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with the article.
ARTICLE 26: RIGHTS OF THE DATA OWNER AND HIS USE OF THESE RIGHTS
26.1 Rights of Personal Data Owner
Personal data owners have the following rights:
Learning whether personal data is processed or not
Requesting information if personal data has been processed
Learning the purpose of processing personal data and whether they are used for their intended purpose
Knowing third parties to whom personal data is transferred domestically or abroad
Requesting correction of personal data in case of incomplete or incorrect processing and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred.
Requesting the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting that the transaction carried out in this context be notified to third parties to whom personal data has been transferred.
Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems
Requesting compensation for damage in case of damage due to illegal processing of personal data
26.2 Situations in which the Personal Data Owner Cannot Assert Their Rights
In accordance with Article 28 of the Personal Data Protection Law, personal data owners cannot assert the following rights of personal data owners in these matters, since the following situations are excluded from the scope of the Personal Data Protection Law:
Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics
Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public safety, public order or economic security.
Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings
In accordance with Article 28/2 of the KVK Law; In the cases listed below, personal data owners cannot assert their rights listed below, except for the right to demand compensation for damages:
Processing of personal data is necessary for the prevention of crime or criminal investigation.
Processing of personal data made public by the personal data owner.
Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law.
Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings.
26.3 Personal Data Owner Exercising His Rights
Personal data owners will be able to submit their requests regarding the rights listed above in this section to our Company free of charge using the method specified below:
After filling out the form at www.gureltekstil.com and signing it with a wet signature, apply in person to Duacılı Mahallesi, Çamlık Caddesi, No:10 Sarayköy/Denizli.
After filling out the form at www.gureltekstil.com and signing it with a wet signature, via cargo or mail to the address Duacılı Mahallesi, Çamlık Caddesi, No:10 Sarayköy/Denizli,
After filling out the form at www.gureltekstil.com and signing it with your “secure electronic signature” within the scope of the Electronic Signature Law No. 5070, the form with the secure electronic signature will be sent via e-mail to accounting@gureltekstil.com.
It is not possible for third parties to make requests on behalf of personal data owners.
In order for a person other than the personal data owner to make a request, a special and
There must be a power of attorney.
In their application to exercise their rights, personal data owners will fill out the “Application Form for Applications to be Made to the Data Controller by the Relevant Person (Personal Data Owner) in Pursuance of the Personal Data Protection Law No. 6698” linked above. The application method to be made in this form is also explained in detail.
26.4 Personal Data Owner’s Right to Complain to the KVK Board
In cases where the personal data owner’s application is rejected, the response is found insufficient, or the application is not responded to in due time, in accordance with Article 14 of the Personal Data Protection Law; He/she may file a complaint with the KVK Board within thirty days from the date of learning our company’s answer, and in any case within sixty days from the date of application.
ARTICLE 27: COMPANY’S RESPOND TO APPLICATIONS
27.1 Our Company’s Response Procedure and Time to Applications
If the personal data owner submits his/her request to our Company in accordance with the procedure in the above section of this section, our Company will finalize the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.
However, if the transaction requires an additional cost, our Company will charge the applicant the fee in the tariff determined by the KVK Board.
27.2 Information Our Company May Request from the Applicant Personal Data Owner
Our company may request information from the relevant person in order to determine whether the applicant is the owner of personal data.
Our company may ask questions to the personal data owner regarding his application in order to clarify the issues included in the personal data owner’s application.
27.3 Our Company’s Right to Reject the Application of the Personal Data Owner
Our company may reject the application of the applicant by explaining the reason in the following cases:
Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
Personal data protects national defence, national security, public safety, public order,
Processing for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate economic security, privacy of private life or personal rights or constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public safety, public order or economic security.
Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings.
Processing of personal data is necessary for the prevention of crime or criminal investigation.
Processing of personal data made public by the personal data owner.
Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law.
Processing of personal data is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters.
The request of the personal data owner is likely to hinder the rights and freedoms of other persons
Requests have been made that require disproportionate effort.
The requested information must be publicly available information.
ARTICLE 28: RELATIONSHIP OF THE COMPANY’S PERSONAL DATA PROTECTION AND PROCESSING POLICY WITH OTHER POLICIES
The basic policies written on the protection and processing of personal data, to which the principles set out by the Company in this Policy are related, are stated. By establishing a connection between these policies and the basic policies carried out by the Company in other areas, harmonization is also achieved between the processes operated by the Company with different policy principles for similar purposes.
In accordance with the decision of the Company’s senior management, the “Personal Data Protection Board” has been established within the Company to manage this policy and other policies related to this policy. The duties of this board are stated below.
To prepare basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect.
To decide how the policies regarding the Protection and Processing of Personal Data will be implemented and supervised, and to submit internal assignments and coordination within the company to the approval of the senior management.
To determine the issues that need to be done to ensure compliance with the Personal Data Protection Law and relevant legislation and to submit what needs to be done to the approval of the senior management; to oversee and coordinate its implementation.
Awareness of the Protection and Processing of Personal Data within the Company and among the institutions with which the Company cooperates.
to increase.
To identify risks that may occur in the company’s personal data processing activities and to ensure that necessary precautions are taken; Presenting improvement suggestions to senior management for approval.
Designing and ensuring the execution of training on the protection of personal data and implementation of policies.
To decide on the applications of personal data owners at the highest level.
Personal data owners; To coordinate the execution of information and training activities to ensure that they are informed about personal data processing activities and legal rights.
To prepare changes in the basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect.
To follow the developments and regulations regarding the Protection of Personal Data; To advise the senior management on what needs to be done within the Company in accordance with these developments and regulations.
To coordinate relations with the Personal Data Protection Board and Institution.
To perform other duties assigned by the company’s senior management regarding the protection of personal data.
Some of the stated policies are for internal use. By reflecting the principles of the company’s internal policies in public policies to the extent relevant, it is aimed to inform those concerned within this framework and to ensure transparency and accountability regarding the personal data processing activities carried out by the Company.