MRY Tekstil Deri Mağazacılık San. Tic. Ltd. Şti.
POLICY ON THE PROTECTION, PROCESSING AND TRANSFER OF PERSONAL DATA
Content
POLICY ON THE PROTECTION, PROCESSING AND TRANSFER OF PERSONAL DATA 2
CHAPTER ONE: GENERAL INFORMATION REGARDING POLICY 2
1. Introduction
2. Purpose of Policy
3. Scope of the Policy
4. Definitions
5. Enforcement of the Policy
CHAPTER TWO: CLASSIFICATION OF PERSONAL DATA
1.Personal Data
2.Sensitive Personal Data
CHAPTER THREE: DATA SUBJECT GROUPS AND DATA CATEGORIES
1. Personal Data Categorization
CHAPTER FOUR: PROCESSING PERSONAL DATA
1. General Principles in the Processing of Personal Data
2.Personal Data Processing Conditions
3. Conditions of Processing of Special Quality Personal Data
4. Purposes of Processing Personal Data.
CHAPTER FIVE: TRANSFERRING PERSONAL DATA
1. Terms of Transfer of Personal Data
2. Conditions for Transferring Personal Data Abroad
3. Purposes of Transferring Personal Data and Third Parties to which it may be Transferred
4. Personal Data Envisioned to be Transferred to Foreign Countries
CHAPTER SIX: METHOD OF COLLECTING PERSONAL DATA AND LEGAL REASON
1. Method and Legal Reason for Personal Data Collection
CHAPTER SEVEN: RIGHTS OF THE DATA OWNER
1. Disclosure of Personal Data Owner
2. Rights of the Data Owner
3. Circumstances in which the Personal Data Owner cannot assert his rights
4. Use of Personal Data Owner's Rights
5. The Company's Response Procedure and Time to Applications
6. Right of Personal Data Owner to Complain to the Board
CHAPTER EIGHT: PERSONNEL IN DUTY FOR COMPLIANCE WITH THE POLICY
CHAPTER NINE: UPDATES AND CHANGES
POLICY ON THE PROTECTION, PROCESSING AND TRANSFER OF PERSONAL DATA
CHAPTER ONE: GENERAL INFORMATION REGARDING POLICY
1. Introduction
MRY Tekstil Deri Mağazacılık San. Tic. Ltd. Şti. (“Company”), in the capacity of “data controller” within the scope of the Law on Protection of Personal Data No. 6698 (“Law”), to ensure that the personal data of real persons related to our Company, including our customers, users of our website and our employees, are subject to the Law and its related and relevant legislation. It is our priority to ensure that the data subject is processed in accordance with the law and the rights arising from the legislation are used effectively. We carry out the procedures regarding the protection, processing and transfer of the personal data of all data subjects we are in contact with during our activities, in accordance with hereby Personal Data Protection, Processing and Transfer Policy (“Policy”). Protection of personal data and observance of the fundamental rights and freedoms of the persons whose personal data are collected are the basic principles of hereby Policy regarding the processing of personal data.
2. Purpose of the Policy
The main purpose of hereby Policy is to determine the methods we follow for the protection, processing, storage and transfer of personal data shared by data owners during our commercial activities, within the framework of the principles referred to in the Law, by our Company, which has the title of "data controller" under the Law. In this way, it is aimed to ensure full compliance with the legislation in the processing, protection and transfer of personal data carried out by our Company and to protect all the rights of personal data owners arising from the legislation regarding personal data.
3. Scope of the Policy
The personal data of our employees, customers, visitors, business contacts, business partners, potential customers, suppliers, dealers, users visiting our website, in short, all real person data owners with whom we are in contact during our activities, including but not limited to those listed, are within the scope of this Policy.
The protection of personal data covers only the data of real persons, and information belonging to legal entities that do not contain information about the real person is excluded from personal data protection under the Law. Therefore, hereby Policy is not applied to data belonging to legal entities.
4. Definitions
The terms used in this Policy have the following meanings:
Personal Data: | It is all kinds of information that makes the identity specific or identifiable and includes all situations that enable the identification of the person as a result of carrying a concrete content that expresses the physical, economic, cultural, social or psychological identity of the person or as a result of associating with any record such as identity, tax, insurance number. |
Sensitive Personal Data: | It is data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
Explicit Consent: | It is consent on a particular subject, based on information and expressed with free will. |
Anonymization: | Making personal data incapable of being associated with an identified or identifiable real person under any circumstances, even by matching with other data. |
Processing personal data: | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. It is any operation performed on the data, such as blocking. This includes all types of operations performed on the data, starting from the first time the data is obtained. |
Personal data owner: | The real person whose personal data is processed. |
Data recording system: | The registration system in which personal data is processed and structured according to certain criteria. |
Data controller: | The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
Data processor: | A real or legal person who processes personal data on behalf of the data controller, based on the authority granted to him or her. |
KVKK: | The Law on Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette dated 7 April 2016 and numbered 29677. |
Board: | Protection of Personal Data Board |
Institution: | Protection of Personal Data Institution |
Policy: | MRY Tekstil Deri Mağazacılık San. Tic. Ltd. Şti. Personal Data Protection, Processing and Transfer Policy |
5. Enforcement of the Policy
This Policy was approved by the Company's Board of Directors and entered into force on 26/12/2019. If changes are required in the Policy, the relevant articles will be updated accordingly. Changes made in hereby Policy are immediately processed in the text and explanations regarding the changes are stated in the Ninth section of hereby Policy.
CHAPTER TWO: CLASSIFICATION OF PERSONAL DATA
1. Personal Data
Personal data is any information relating to an identified or identifiable real person. In line with the legislation, in this Policy, the concept of personal data will also include sensitive personal data.
2. Sensitive Personal Data
Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data.
CHAPTER THREE: DATA SUBJECT GROUPS AND DATA CATEGORIES
1. Personal Data Categorization
Personal data in the following categories are processed by the Company by informing the relevant persons in accordance with Article 10 of the Law. It is also stated in this chapter that the personal data processed in these categories are related to which persons are regulated within the scope of hereby Policy.
CLASSIFICATION OF PERSONAL DATA | STATEMENT |
Identity Information | Name-surname, which is clearly belonging to an identified or identifiable real person, processed partially or completely automatically or non-automatically as part of the data recording system, T.C. Identity number, photocopy of identity card, identity card sample, driver's license information, family members' population information, SSI information, police station identification information, signature circular, etc. |
Contact Information | Clearly belonging to an identified or identifiable real person; processed partially or fully automatically or non-automatically as part of the data recording system; information such as phone number, address, e-mail, social media account |
Financial Information | Processed partially or completely automatically or non-automatically as part of a data recording system, clearly belonging to an identified or identifiable real person; Documents such as financial and salary details, invoice information, file and debt information regarding execution proceedings, bank information, monthly salary receipts, insurance premium payment information, showing all kinds of financial results created according to the type of legal relationship our company has established with the personal data owner. |
Special Personal Data | Processed partially or completely automatically or non-automatically as part of a data recording system, clearly belonging to an identified or identifiable natural person; These are the data specified in Article 6 of the Law. Health policies, health reports, health declaration document, pregnancy status, occupational disease records, employment examination form, daily patient complaints, drugs used, blood group information, criminal record, etc. documents |
Professional Experience Information | Processed partially or completely automatically or non-automatically as part of a data recording system, clearly belonging to an identified or identifiable natural person; documents such as educational status, photocopies of certificates and diplomas |
Audio and Visual Data | Processed partially or completely automatically or non-automatically as part of a data recording system, clearly belonging to an identified or identifiable natural person; documents such as photographs, audio recordings, camera recordings |
Personal Information | Processed partially or completely automatically or non-automatically as part of a data recording system, clearly belonging to an identified or identifiable natural person; CV files, military status certificate, employment contracts, defense petitions, warning letters, resignation petitions, etc. all kinds of documents |
Process Security Information | Processed partially or completely automatically or non-automatically as part of a data recording system, clearly belonging to an identified or identifiable real person; IP address information, website login-exit records, user name and password information, etc. to which company websites are accessed. |
The following table details the above-mentioned categories of personal data owners and what types of personal data are processed by the persons in these categories.
Personal Data Categorization |
DATA OWNER CATEGORY WITH RELATED PERSONAL DATA |
Identity Information | Supplier, employee candidate, employee, customer, company official, visitor, subcontractor and third parties |
Contact Information | Supplier, employee candidate, employee, customer, company official, visitor, subcontractor and third parties |
Financial Information | Customer, employee, supplier, subcontractor and third parties |
Professional Experience Information | Employee candidate, employee |
Special Personal Data | Employee |
Audio and Visual Data | Customer, employee, supplier, visitor and third parties |
Personal Information | employee, employee candidate |
Process Security Information | Customer and third parties |
CHAPTER FOUR: PROCESSING PERSONAL DATA
1. General Principles in the Processing of Personal Data
Personal data is processed by our Company in accordance with the procedures and principles stipulated in the Law and this Policy. The company acts with the following principles when processing personal data:
• Compliance with the law and the rules of good faith: Personal data is processed in accordance with the relevant legal rules and the requirements of the rule of good faith.
• Being accurate and up-to-date when necessary: It is ensured that personal data are correct and kept up-to-date. In this context, issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated are carefully considered.
• Processing for specific, clear and legitimate purposes: Personal data is processed for specific, clear and legitimate purposes. Being legitimate means that the personal data processed by the Company is related to and necessary for the work it has done or the service it has provided.
• Being connected, limited and proportional to the purpose for which they are processed: Personal data is related to the purpose in order to achieve the purposes determined by the Company, and the processing of personal data that is not related to the realization of the purpose or is not needed is avoided. It limits the processed data only to what is necessary for the realization of the purpose. Personal data processed in this context are related, limited and measured for the purpose for which they are processed.
• Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed: If there is a period stipulated in the relevant legislation for the storage of data, personal data is kept in accordance with these periods, otherwise for the period required for the purpose for which they are processed. In the event that there is no valid reason for further preservation of personal data, the data in question is deleted, destroyed or anonymized.
2. Terms of Processing Personal Data
The company does not process personal data without the explicit consent of the person concerned. However, in the presence of one of the following conditions, personal data may be processed without seeking the explicit consent of the person concerned:
• Explicitly stipulated in the laws: The Company may process the personal data of the persons concerned, even if there is no explicit consent, in cases expressly stipulated by the laws. E.g; In accordance with Article 230 of the Tax Procedure Law, the explicit consent of the person concerned will not be sought to include the name of the person on the invoice.
• Being obligatory for the protection of life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized: The life or body of the person himself or another person, who is unable to express his consent or whose consent cannot be validated, due to actual impossibility. In order to protect its integrity, personal data may be processed without explicit consent. For example, in a situation where the person is unconscious or whose consent is not valid due to mental illness, the personal data of the person concerned may be processed during medical intervention in order to protect his life or physical integrity. In this context, data such as blood type, diseases and surgeries, and medications used can be processed through the relevant health system.
• Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process the personal data of the parties to the contract: Personal data of the parties to the contract can be processed, provided that it is directly related to the establishment or performance of a contract by the Company. For example, according to a contract made, the account number of the creditor can be obtained for the payment of money.
• Obligatory for the data controller to fulfill its legal obligations: The company may process the personal data of the data subjects if it is necessary to fulfill its legal obligations as a data controller. For example, companies have to report certain data of their employees to SSI.
• Having been made public by the data subject himself: Personal data of the data subject, which has been made public by himself, in other words, disclosed to the public in any way, can be processed without explicit consent, since the legal benefit that needs to be protected is no longer valid.
• Obligatory data processing for the establishment, exercise or protection of a right: In cases where data processing is necessary for the exercise or protection of a legally legitimate right, the Company may process the personal data of the persons concerned without seeking explicit consent.
• Obligation to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject: The Company may process the personal data of the persons concerned in cases where it is necessary to process personal data in order to ensure their legitimate interests, provided that the fundamental rights and freedoms of the persons concerned are protected under the Law and this Policy. The company shows all necessary care and sensitivity to comply with the basic principles regarding the protection of personal data and to observe the balance of interests of the persons concerned.
3. Conditions of Processing of Sensitive Personal Data
The Company does not process Sensitive Personal Data without the explicit consent of the person concerned. The Company also carries out the necessary actions to take adequate measures determined by the Board in the processing of personal data of special nature.
4. Our Purposes of Processing Personal Data
Personal Data collected by the Company is processed for the purposes listed below within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law. In case the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated in the Law, the explicit consent of the data owner regarding the relevant processing process is provided by the Company.
• Execution of our commercial and administrative activities,
• Execution of information security processes,
• Execution of employee candidate application, selection and placement processes,
• Fulfilling the obligations arising from the employment contract and legislation for the employees,
• Execution of audit activities,
• Arrangement of access authorizations,
• Execution of activities in accordance with the legislation,
• Execution of finance and accounting works,
• Ensuring physical space security,
• Execution of assignment processes,
• Follow-up and execution of legal affairs,
• Execution of communication activities,
• Planning of human resources processes,
• Execution and supervision of business activities,
• Execution of occupational health and safety activities,
• Receiving and evaluating suggestions for improvement of business processes,
• Execution of logistics activities,
• Execution of goods/service purchasing processes,
• Execution of goods / services sales process and after-sales support services,
• Execution of goods / services production and operation processes,
• Execution of customer relationship management processes,
• Carrying out activities for customer satisfaction,
• Organization and event management,
• Carrying out marketing analysis studies,
• Execution of Advertising / Campaign / Promotion processes,
• Execution of storage and archive activities,
• Execution of contract processes,
• Follow-up of requests and complaints,
• Ensuring the security of movable property and resources,
• Execution of supply chain management processes,
• Execution of the wage policy,
• Execution of marketing processes of products and services,
• Ensuring the security of the company's operations as a data controller,
• Providing information to authorized persons, institutions and organizations,
• Execution of management activities,
• Creation and follow-up of visitor records,
• To send all kinds of commercial electronic messages, primarily SMS, voice and/or other kinds of marketing messages, within the scope of the Law No. 6563 on the Regulation of Electronic Commerce.
CHAPTER FIVE: TRANSFERRING PERSONAL DATA
1. Terms of Transfer of Personal Data
As a company, we act in accordance with the decisions and regulations stipulated in the Law and taken by the Board regarding the transfer of personal data. Without prejudice to the exceptional circumstances in the legislation, personal data and sensitive data are not transferred by us to other real persons or legal entities without the explicit consent of the person concerned. However, personal data may be transferred without seeking explicit consent in the cases described in article 2 of Chapter Four of hereby Policy.
2. Conditions for Transferring Personal Data Abroad
As a rule, personal data is not transferred abroad without the explicit consent of the person concerned. However, in cases where one of the exceptions stated in Article 2 of the Fourth Section of hereby Policy exists, the third parties abroad can only:
• Located in countries with adequate protection declared by the Board,
• If it is located in countries where there is no adequate protection, the data controllers in Turkey and in the foreign country in question undertake to provide adequate protection in writing and have the permission of the Board;
In such cases, personal data may be transferred abroad without explicit consent.
3. Purposes of Transferring Personal Data and Third Parties to which it may be Transferred
Personal data, for the purposes listed in Article 4 of Section 4 of this Policy,
• To our suppliers,
• To our business partners and business contacts,
• To our group companies,
• Legally authorized public institutions and organizations,
• Legal advisor and financial advisor,
• Company officials,
can be transferred in accordance with the principles and rules described in hereby Policy.
4. Personal Data Envisioned to be Transferred to Foreign Countries
There is no personal data transferred by our company to third parties residing in foreign countries during our operation.
CHAPTER SIX: METHOD OF COLLECTING PERSONAL DATA AND LEGAL REASON
1. Method and Legal Reason for Personal Data Collection
Personal data is collected by our Company through technical and in-process methods carried out in different channels such as our website, mobile applications, call center, registration forms and physical channels, or verbally, in writing or electronically, fully or partially automated or as part of any data recording system. It also aims to carry out legal responsibilities and to fulfill the requirements of the business relationship we have established and to constitute, use and protect the rights we have mutually in this direction, and to protect the legitimate interests of our Company by taking into account the fundamental rights and freedoms of the related persons with whom we are in contact within the framework of legal reasons arising and executed based on the relevant legislation, contract, demand, commercial practice and honesty rules that can be implemented in terms of providing our commercial services to you and carrying out our commercial activities.
SECTION SEVEN: RIGHTS OF THE DATA SUBJECT
1. Disclosure of Personal Data Owner
Our company fulfills its obligation to inform the relevant persons during the acquisition of personal data in accordance with Article 10 of the Law. In this context, information is provided on the identity of the company, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the legal reason, and the rights of the person concerned.
2. Rights of Data Subject
Our company, pursuant to Article 11 of the KVKK;
• Learning whether personal data is processed or not,
• If personal data has been processed, requesting information about it,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• Knowing the third parties to whom personal data is transferred in the country or abroad,
• Requesting correction of personal data in case of incomplete or incorrect processing,
• Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
• Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) of Article 11 of the Law, to third parties to whom personal data has been transferred,
• Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
• Requesting the compensation of the damage in case of damage due to the unlawful processing of personal data,
explains that they have rights.
3. Circumstances in which the Personal Data Owner cannot assert his rights
Pursuant to Article 28 of the KVKK, the persons concerned cannot claim their above-mentioned rights in the following cases and the processing of personal data will be outside the scope of KVKK and this Policy in the following cases:
• Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
• Processing personal data for purposes such as research, planning and statistics, by making them anonymous with official statistics.
• Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
• Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
In accordance with the article no 28/2 of KVKK, the persons concerned cannot claim the above-mentioned rights, except for the right to demand the compensation of the damage in the cases listed below:
• The processing of Personal Data is necessary for crime prevention or criminal investigation.
• Processing of personal data made public by the Personal Data Owner.
• The processing of Personal Data is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution, based on the authority given by the law.
• The processing of Personal Data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
4. Use of Personal Data Owner's Rights
By filling in and signing the "Relevant Person Application Form" on our website, with the information and documents that will identify the requests of the relevant persons regarding their rights listed in this Policy, and with the methods specified below;
• By personal application,
• Via notary public,
• By mail,
• By sending it to the registered e-mail address of our Company, mrytekstil@hs03.kep.tr, signed by the applicant with the "secure electronic signature" defined in the Electronic Signature Law No. 5070,
They can forward it to our company.
Informing about how written applications will be delivered to us, specific to application channels:
Application Method | Address of Application | Information to be Specified in Application |
Application in person or by mail (Applicant's application with a document proving his/her identity by coming to our Company Headquarters in person or sending it by mail) | Dokuz Eylül Mah. Kahramanlar Cad. No:33/1 Gaziemir, İzmir | “Information Request Under the Law on Protection of Personal Data” should be written on the envelope. |
Notification via notary | Dokuz Eylül Mah. Kahramanlar Cad. No:33/1 Gaziemir, İzmir | “Information Request Under the Law on Protection of Personal Data” should be written in the notification envelope. |
Application via registered electronic mail (REM) by signing with a secure electronic signature | "Personal Data Protection Law Information Request" should be written in the subject part of the e-mail. |
5. The Company's Response Procedure and Time to Applications
Our company concludes the requests in the application as soon as possible and within thirty days at the latest, depending on the nature of the request. It reserves the right to request additional documents and information for identification and authority determination, in order to eliminate legal risks that may arise from illegal and unfair data sharing and especially to ensure the security of personal data. All responsibility arising from illegal or illegitimate, misleading or erroneous applications will belong to the person who made the request. Within the scope of the Communiqué on the Procedures and Principles of Application to the Data Controller, if our Company's response to the application exceeds 10 pages, a processing fee of 1 Turkish Lira will be applied for each page after page 10. Our company may accept the request or reject it by explaining the reason; gives its answer in writing or electronically. In case the request in the application is accepted, the Company fulfills the requirements of the request.
6. Right of Personal Data Owner to Complain to the Board
In cases where the application is rejected, the answer is found insufficient, or the application is not answered in due time, the data owner has the right to file a complaint with the Board within thirty days from the date of finding out the answer, and in any case within sixty days from the application date.
CHAPTER EIGHT: PERSONNEL IN CHARGE OF COMPLIANCE WITH THE POLICY
In order to manage hereby Policy and other policies related and relevant to this Policy, within the company, employees authorized and assigned to audit KVKK Compliance have been determined in accordance with the decision of the Company's senior management. These employees are authorized and responsible for taking the necessary actions for the storage, processing and transfer of the data of the persons concerned in accordance with the law, hereby Policy and other related and relevant policies. The main duties of the employees responsible for auditing on KVKK are as follows:
• To decide how the implementation and supervision of the directives and all other policies, internal directives etc. regarding the Protection, Processing and Transfer of Personal Data will be carried out, to make internal assignments within the company and to submit the issues of ensuring coordination to the approval of the senior management.
• To supervise and coordinate the implementation of the issues that need to be done in order to ensure compliance with the KVKK and the relevant legislation.
• To raise awareness within the Company and the institutions with which the Company cooperates on the Protection and Processing of Personal Data.
• To ensure that the necessary measures are taken to eliminate the risks that may arise in the personal data processing activities of the company.
• To plan and implement trainings on the protection of personal data and the implementation of policies.
• To decide on the applications of the relevant persons as quickly as possible.
• To prepare the changes in the basic policies regarding the Protection and Processing of Personal Data and submit them to the approval of the senior management in order to put them into effect.
• To follow the developments and regulations on the Protection of Personal Data; To advise senior management on what needs to be done within the Company in accordance with these developments and regulations.
• Coordinating the relations with the Personal Data Protection Board and Institution.
• To perform other duties to be assigned by the senior management of the company regarding the protection of personal data.
CHAPTER NINE: UPDATES AND CHANGES
The Company reserves the right to make changes in hereby Policy and other affiliated and related policies in line with the changes made in the Law and its related legislation, Board decisions and/or developments in the sector or in the field of informatics. Changes made in hereby Policy are immediately processed in the text and explanations regarding the changes are stated in this chapter
26/12/2019 : Personal Data Processing and Protection Policy was accepted by the Company's Board of Directors and entered into force.