Policy on Personal Data
POLICY ON PERSONAL DATA
- Introduction
In accordance with the Turkish Law on Protection of Personal Data no. 6698 and General Data Protection Regulation, everyone is entitled to demand the protection of personal data concerning him. This right, includes informing, accessing, requesting correction or deletion of personal data about a person and learning whether they are used for their purposes.
We would like to inform you in detail about the protection of your personal data in accordance with the Turkish Law on Protection of Personal Data no. 6698 and General Data Protection Regulation, the manner in which your personal data is received, the purposes for which it is processed, the legal reasons and our mutual rights and obligations.
With this Policy; Clients, Employee Candidates, Real Person Subcontractors, Legal Person Subcontractor’s Employees, Employees, Visitors, Employees, Shareholder and Authorities of the Companies that we cooperate with and the third parties are aimed to be protected. The Company’s employees are managed under the Policy on Protection of Personal Data, which is written in line with the principles in this Policy on the protection of personal data of our employees.
If there is a conflict between the Turkish Law on Protection of Personal Data no. 6698 and General Data Protection Regulation and other relevant legislation, and the Company’s Policy on Protection of Personal Data, the legislation and the Turkish Law on Protection of Personal Data no. 6698 and General Data Protection Regulation in force shall be applied.
- Purposes for Processing of Your Personal Data
REALM OF BE / BADE KAYAYURT SOLE PROPRIETORSHIP (‘’Company’’) prepared this Policy on Protection of Personal Data in order to protect the fundamental rights and freedoms of individuals, especially the privacy of individuals in the processing of personal data.
The Policy is intended to continue and develop the activities carried out by the Company in accordance with the principles of the Turkish Law on Protection of Personal Data no. 6698 and General Data Protection Regulation and to inform the owners of personal data.
- Scope
Data subject whose personal data are processed within the scope of this Policy are categorized as follows:
Employee Candidates |
Real person who make their CV and related information accessible to the Company by applying for a job or by any means |
Employees |
People who have a business relationship with the Company |
Former Employees |
Former employees whose business relationship with the company has ended |
Real Person Subcontractors |
Partnership companies or real person with who we receive contract manufacturing services |
Shareholders |
Shareholders |
Employees of the Companies that we cooperate with |
Employees of real person or legal person with whom we cooperate other than contract manufacturing |
Clients |
People who do shopping on the Company’s website or by store |
Legal Person Subcontractor’s Employees |
Employees of the legal person with who we receive contract manufacturing services |
Authorities |
Executives in senior management of the Company |
Third Parties |
Although it is not defined in the Policy, the guarantor, the family members including but not limited to whose personal data is processed under this Policy |
Visitors |
Natural person who has entered the Company’s physical facilities for various purposes or who has visited websites |
- Definitions
Explicit consent |
Freely given specific and informed consent |
Anonymization |
Rendering personal data by no means identified or identifiable with a natural person even by linking with other data |
Personal Health Data
|
Health data related to identified or identifiable natural person |
Personal Data
|
Any information about identified or identifiable natural person |
Processing of Personal Data |
Any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system |
|
The Turkish Board of Protection of Personal Data or a supervisory authority in a third country |
Board |
The Authority of Protection of Personal Data |
Authority |
Data relating to race, ethnic origin, political beliefs, philosophical beliefs, religion, denomination or other faiths, clothing and attire, membership of an association, charity or union, health, sexual life, criminal convictions and security measures and biometric and genetic data |
Special Categories of Personal Data |
This is the real or legal entity that processes the personal data, with the authority bestowed by the data controller, and in the name of the data controller |
Data Processor |
Natural person whose personal data are processed and determined as ‘’Related Person’’ in the Law on the Protection of Personal Data |
Data Subject |
The Application Form for data subject in the Company when using the right to request related to rights within the scope of the Article 11
|
Application Form of Data Subject |
Natural person or a legal entity who determines the purposes and means of processing of personal data and is responsible for establishment and management of data recording system |
Data Controller |
The Registry of data controllers kept by the Presidency of the Board of Protection of Personal Data
|
Data Controllers’ Registry |
The Inventory that the data controller must make a thorough review on its activities, determine where it uses personal data in any way and make a list of the following issues for each personal data process: the purpose of processing activity, the category of personal data, the recipient group, the data subject group, the maximum retention period, whether or not the personal data is to be transferred abroad, the precautions taken for data security |
Data Inventory |
Regulation (EU) 2016/679 of The European Parliament and of The Council Of 27 April 2016 on The Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC |
GDPR |
|
- General Principles Regarding the Processing of Personal Data
Pursuant to the article 4/2 of the GDPR, the processing of personal data contains any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
Personal data may only be processed in compliance with the principles as follows:
- Lawfulness, transparency and conformity with rules of bona fides
Our Company conducts its personal data processing activities in accordance with rules of bona fides and law within the scope of GDPR.
- Accuracy and being up to date, where necessary
Our company carries out all kinds of administrative and technical measures to ensure the accuracy and being up to date of the personal data during the process.
- Being processed for specific, explicit and legitimate purposes
Before starting the processing of personal data, our Company determines its legitimate purpose for processing personal data precisely and explicitly within the framework of informative document.
- Being relevant with, limited to and proportionate to the purposes for which they are processed.
Personal data are processed by our Company as necessary to achieve the specified purposes. Assuming that it can be used later, data processing is not carried out.
- Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed
Our Company retains personal data for a limited period of time as required by the GDPR and related legislation or for purposes related to data processing.
- Being processed in a manner that ensures appropriate security of the personal data
Our company ensures appropriate security of personal data that it processes.
- Conditions of Personal Data Collection
Personal data and Special Categories of Personal Data can be processed and transmitted with explicit consent of data subject or without any explicit consent in the conditions specified in Articles 6 and 7 and 9 of the GDPR.
- Processing of Personal Data
As a rule, our Company processes your personal data based on your explicit consent. However, we conduct personal data processing without seeking your explicit consent in accordance with the data processing conditions specified in Article 6 of the GDPR:
- It is explicitly stipulated in the law,
- It is compulsory for the protection of the life or body integrity of the person or someone else who is unable to disclose his consent due to the impossibility or whose consent is not granted legal validity,
- Provided that any contract between the data owner and the Company is directly related to the establishment or performance of the contract, the processing of personal data is required,
- It is compulsory to fulfil the legal obligations,
- The data owner has been publicized by himself,
- Data processing is mandatory for the establishment, use or protection of a right,
- The processing of data for the legitimate interests of the Company is mandatory, without prejudice to the fundamental rights and freedoms of the data holder.
- Processing of Special Categories of Personal Data
Our Company conducts the processing of personal data which is considered to be of a special nature, which carries the risk of discrimination when processed unlawfully, in accordance with the data processing conditions set forth in Article 9 of the GDPR. It is forbidden to process personal data of a Special Categories of Personal Data without the express consent of the data owner. However, Special Categories of Personal Data may be processed even if the data owner does not have explicit consent in the following cases:
- Processing of Personal Health Data
Personal health data can be processed when (I) the necessary permissions are taken by Health Ministry, (ii) complying with general provisions, (iii) under confidentiality obligation, if one of the following conditions are present, personal health data can be processed:
-The explicit consent of the data subject
-Taking necessary precautions for the purpose of occupational and obey the obligations arising from the legislation,
-Public Health Protection
-Preventive Medicine
-Medical diagnosis, treatment and care services
-Planning and management of health care and financing
- Processing of Personal Data Except for Health and Sexual Life
With this scope of data will be possible in case of the existing of data owner’s explicit consent and situations foreseen in law.
- Processing of special categories of personal data under the GDPR
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be allowed if one of the following applies:
- the data subject has given explicit consent to the processing of those personal data for one or more specified purposes,
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorized;
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
- processing relates to personal data which are manifestly made public by the data subject;
- processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
- processing is necessary for reasons of substantial public interest, on the basis of law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph c;
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
- Ensuring the Security and Privacy of Personal Data
Pursuant to Article 32 of the GDPR, our Company takes all necessary technical and administrative precautions to prevent the illegal processing and getting access of the personal data and to ensure to provide the protection of personal data with regard to ensure the proper level.
7.1. Technical precautions taken to ensure the legal processing of personal data and to prevent illegal Access
The Company has taken all sort of technical and technological security precautions in order to protect your personal data and has protected your personal data against all possible risks.
Technical precautions are taken in accordance with the developments in technology, and the preventions are updated periodically and renewed. Software and hardware are available, which includes virus protection systems and firewalls. Employees have been informed that they will not be able to disclose the personal data they have learned in contrary to the provisions of the Law and they cannot use it for any purpose other than for processing purposes, and that this obligation will continue even they leave their job, and the necessary commitments have been taken from the employees in this direction and policies, in particular in the workplace, have been issued to the employees. In order to store personal data in secure medium, systems correspondent with technological developments are used.
Administrative Precautions Taken To Ensure the Legal Processing Of Personal Data and To Prevent Unlawful Access
- Training and raising the awareness of the Company’s employees regarding the GDPR,
- When the personal data transfer is in question, to ensure that the person to whom the personal data is transferred and the agreements concluded, that the data from which the personal data is transferred will be added to the data security,
- Determining the requirements to be fulfilled in order to comply with the GDPR and preparing domestic policies for their executions,
- Using software and hardware that includes virus protection systems and firewalls to prevent unauthorized access.
7.2. Preventions to Be Taken In Case Of Illegal Disclosure of Personal Data
If the processed personal data is obtained by another person by illegal ways despite the necessary security preventions, our Company will notify the data owner and the Board within 72 hours from the date of the announcement by means of the contact information been found in the Company.
- Purpose of the Processing of Personal Data and Preservation Period
8.1. Purposes of the Processing Personal Data
Personal Data which were found in our company; planning and execution of commercial activities, informing the authorized institutions and organizations originating from the law, getting technological services in areas which are not directly provided by us and not in our field of expertise, reaching financial agreement with our business partners and / or third parties regarding our products and services, execution/pursuit of financial reporting and risk management transactions / planning and execution of the necessary audit activities to ensure the conduct of the activities in accordance with the relevant procedures and the Company's procedures, the execution of the corporate sustainability activities, the execution of activities for the protection of the reputation of our company, and complaint management, planning and execution of corporate governance and communication activities. delivery of invoices, invoicing, sending commercial electronic messages in case of your consent, organizing campaigns within the scope of the loyalty card program and signing scores, resolving complaints about products, personalizing our advertising and marketing communications and being more relevant to you and improve, customize and measure the website and our services, measure the performance of marketing campaigns we perform through e-mail, analyze e-mail opening and click-through rates, monitor and improve the information security of the website, and improve our website in third-party websites limited to the law and the rules of honesty and to the purpose for which they are committed, shall be processed in accordance with the principles of retention for the time period required by the relevant legislation or for the purpose for which they are processed.
8.2. The Preservation Period of Personal Data
Our Company determines whether or not a period is stipulated in the relevant legislation for the preservation of personal data. If a period is foreseen in the relevant legislation, it shall comply with this period; if a period of time is not foreseen, it will retain the personal data for the time which is required for the purpose for which it was processed. If the purpose of the processing of personal data has expired and the relevant legislation and / or the retention periods set by our Company have been reached, they may be kept only for the purpose of providing evidence in the event of possible legal disputes, for claiming the right related to personal data or establishing the defense. Personal data is not stored by our Company based on the possibility of future use.
- Demolishing, Destruction and Anonymization of Personal Data
According to the article 17 of the GDPR, although personal data are processed in accordance with the relevant legislation, if reasons required processing are eliminated, personal data are deleted, destroyed or made anonymized by the Company upon the request of the person or personal data owner.
The procedures and principles regarding this matter shall be fulfilled in accordance with the GDPR.
It deletes, destroys or makes anonymized personal data in the first periodic destruction following the date of our obligation of deleting, destroying or making anonymized personal data,
Personal data will be deleted, destroyed or made anonymous within 3 (three) months of the date on which our obligation of deleting, destroying or making anonymized personal data arises.
The period of time for periodic destruction is six months.
When you contact our company and request that your personal data are deleted or destroyed;
- a) all conditions for processing personal data have been removed; your personal data subject to the request will be deleted, destroyed or made anonymous. Your request will be finalized within thirty days at the latest and you will be notified.
- b) notifies the third parties if all the data processing conditions have been removed and the personal data subject to the request have been transferred to third parties; It is ensured that necessary transactions are carried out within the scope of the Regulation.
- c) If the condition of processing have not been removed, your claim may be rejected by explaining the justification pursuant to Article 6 of the GDPR and you will be notified in writing or electronically within thirty at the latest.
9.1 Deletion and Destruction of Personal Data Techniques
Deletion of personal data is process of making personal data inaccessible and reusable fort he uses concerned.
Extinguish of personal data is the process of making personal data inaccessible reusable by anyone.
Example: extinguish as physically, secure deletion from software, secure deletion by the expert etc.
Anonymization Technics for Personal Data
It means rendering personal data by no means identified or identifiable with a natural person even by linking with other data.
Example: camouflage, data generation, using nickname, consolidation, data hash etc.
Third Parties whom Personal Data is transferred and Transfer Objectives
The procedures and principles to be applied in the transfer of personal data are regulated in article 8 and 9 of the Personal Data Protection Law and the personal data of the personal data owner and private personal data can be transferred to third parties at home and abroad.
For the performance of its services your personal data may be limited to the law and other legislation (including the Law on the Identification of Identity No. 1774, the Law on Consumer Protection No:6502, and other regulations regarding these infrastructure providers, trainers, third parties, travel agencies, e-archives, e-waybills and e-invoices. Legal entities providing archival services, server service received from abroad for our websites, insurance companies, banks/financing companies, collection of receivables, real- estate physician, real and legal persons with whom we have a Proxy relationship may be shared with our business partners. However, in any case, personal data cannot be transferred without the explicit consent of the personal data owner with the exception of the exceptions set out in the GDPR.
9.2 Domestic Data Transfer
Pursuant to the Articles 44 – 50 of the GDPR, the transfer of personal data domestically shall be possible provided that one of the conditions set out in section 6 of the “Conditions for the Processing of Personal Data of this Policy is met.
9.3 Abroad Data Transfer
In accordance with Articles 44 – 50 of the GDPR, in case personal data are transferred abroad, the conditions for domestic transfers met and one of the following matters is required:
- sufficient protection is provided in the foreign country where the data is to be transferred,
- the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided.
9.4 Personal Data Transfer Groups by our Company
In accordance with Articles 44 – 50 of the GDPR, our Company may transfer the personal data holders within the scope of this Policy to the following groups of persons for the specified purposes:
GROUPS |
DEFINITION |
TRANSFER PURPOSE |
Public Institutions and Organizations Legally Authorized |
Public institutions and organizations authorized to obtain information and documents of our Company in accordance with the provisions of the relevant legislation |
Within the scope of the legal authority of the relevant public institutions and organizations for the requested purpose |
Private Person Legally Authorized |
Private person authorized to obtain information and documents of our Company in accordance with the provisions of the relevant legislation |
Within the scope of the legal authority of the private person for the requested purpose |
- Obligation of our Company to Inform
In accordance with Article 13 of the GDPR, our Company should inform personal data owners during the collection of personal data. In this context, our Company fulfils its obligation to inform the following subjects:
- the identity of the controller and of his representative, if any,
- the purpose of data processing;
- to whom and for what purposes the processed data may be transferred,
- the method and legal reason of collection of personal data,
- other rights referred to in the articles 12 – 23 of the GDPR.
- The Rights of Data Owners and Usage of these Rights
In accordance with the articles 12 – 23 of the GDPR, the assessment of the rights of personal data owners and the necessary information to personal data owners are carried out through the Company Personal Data Application Form as well as this Policy. Personal data holders may submit their complaints or requests regarding the processing of their personal data to us within the framework of the principles specified in the relevant form.
11.1 Right of Application
Pursuant to the articles 12 -23 of the GDPR, anyone whose personal data has been processed can apply to our Company and make requests regarding the following matters:
- a) Obtain from our Company as to whether or not personal data concerning he/she are being processed;
- b) Request information as to processing if her/his data have been processed;
- c) Learn the purpose of processing of the personal data and whether data are used in accordance with their purpose;
- d) Know the third parties in the country or abroad to whom personal data have been transferred;
- e) Request rectification in case personal data are processed incompletely or inaccurately; and request notification of the operations made to third parties to whom personal data have been transferred;
- f) Request the deletion, destruction or anonymization of personal data in the event that the reasons that require processing of the personal data disappear; and request notification of the operations made to third parties to whom personal data have been transferred
- g) Object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems
- h) Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data by applying to the data controller
- i) Receive the personal data concerning you, which you have provided to our Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from our Company to which the personal data have been provided
11.2 Exceptions to the Right of Application
Pursuant to the article 23 of the GDPR, personal data owners will not be able to assert their rights if:
- personal data is processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.
- personal data is processed for the purpose of official statistics and for research, planning and statistical purposes after having been anonymized.
- personal data is processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defense, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute a crime.
- personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned to maintain national defense, national security, public security, public order or economic security.
- personal data is processed by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings or execution proceedings.
11.3. The Procedure of Response
Pursuant to Article 19 of the GDPR, our Company will finalize the application requests submitted by the personal data holder as soon as possible according to the nature of the request and within 30 (thirty) days at the latest. Pursuant to the article 19 of the GDPR, your application must be submitted to our Company in writing or by other methods to be determined by the Board.
The application of the personal data holder may be rejected in the following cases:
- Preventing other people's rights and freedoms
- Requires disproportionate effort
- Information being publicly available
- Endanger the privacy of others
- Existence of one of the cases that are not covered under the Personal Data Protection Law
- Personal Data Processing Activities on the Company and Data Processing Activities on the Website
12.1 Camera Monitoring in the Company
In order to protect the interests of our Company and other person for ensuring their safety, camera monitoring is carried out within our Company and our factory.
Pursuant to the regulations stipulated in the GDPR, this Policy is published on our website by the Company in relation to camera monitoring activities and the notification letter indicating that monitoring is being made at the entrances of the areas where monitoring is performed.
There is no monitoring in areas that may result from interference with the privacy of the person. Only a limited number of Company employees and, if required, the security company employees have access to the security camera recordings. Those persons who have access to the records declare that they will protect the confidentiality of the data that they access with the confidentiality commitment signed.
12.2. Incoming and Outgoing Visitors of the Company
Personal data processing is carried out to monitor the entrance and exit of our guests. While the name and surname information of the persons who come to our company is obtained, the data is processed only for this purpose and the relevant personal data is recorded in the recording system in the physical environment.
12.3. Visitors of the Website
Internet transactions within the website of our Company are recorded (by technical means eg. Cookies) in order for the visitors to display their customized content in order to conduct their visits in accordance with their purposes and to engage in online advertising activities. Detailed explanations regarding these activities of our Company are included in the Privacy Policy texts on our website.
12.4 Clients
In case the persons who make membership on the website or make purchases without membership, create an account on the website; name, surname, gender, date of birth, e-mail address; if he purchases from the website, his name, surname, e-mail, telephone number, address and credit card information; cookies are loaded into the electronic device through the browser used and the IP number, in addition to the above, is processed in order to planning and execution of commercial activities, informing the authorized institutions and organizations from the legislation, obtaining technological services in areas not directly provided by us and not in our field of expertise, obtaining financial agreement with our business partners and/or third parties regarding our products and services, execution of financial reporting and risk management transactions/planning and execution of the necessary audit activities to ensure the conduct of the activities in accordance with the procedures and the Company's procedures, planning and executing corporate sustainability activities, carrying out activities to protect the reputation of our company, managing demand and complaint processes, planning and executing corporate governance and communication activities, delivering the purchased product to you, issuing invoices, sending commercial electronic messages if you give consent, organizing campaigns and score points within the scope of the loyalty card program if you become a member of the loyalty card program, resolve complaints about products, personalize our advertising and marketing communications, and make them more relevant to you, customize, measure and improve our website and services, measure the performance of our marketing campaigns via e-mail, analyze e-mail opening and click-through rates, monitor and improve the information security of the website, enable you to see advertisements about our website and services on third party websites.
12.5. Personal Data Protection Office
In order to fulfil the obligations of the GDPR, the Company makes the necessary assignments and establishes procedures accordingly for the implementation of the issues specified in this Policy. The Office for the Protection of Personal Data was established by the Company to manage this Policy and the procedures attached to this Policy under the GDPR.
The office has duties such as distribution of duties necessary to increase internal awareness, monitoring of the audits to be performed, taking the necessary actions to solve the applications of the persons concerned, and conducting relations with the Board.
This Policy may be revised by the Company if deemed necessary. In case of revision, the most up-to-date version of the Policy will be posted on the Company's website.