PERSONAL DATA PROTECTION AND PROCESSING POLICY
1. Purpose
The following information provides an overview of the consent given to Aydın Örme Sanayi ve Ticaret Anonim Şirketi (“AYDIN ÖRME”) regarding privacy and the protection of personal data, as well as the basic information on the protection of personal data.
The Personal Data Protection Law No. 6698 (“KVKK”) was published in the Official Gazette dated April 7, 2016 and numbered 29677. The KVKK was enacted to protect the fundamental rights and freedoms of natural persons whose personal data are processed, including the right to privacy protected by the Constitution, and to determine the obligations of natural and legal persons who process personal data. In addition, the Electronic Commerce Law No. 6563 also contains provisions on the protection of personal data. The Turkish Penal Code No. 5237 also provides for criminal penalties in some cases for the protection of personal data.
2. Scope
AYDIN ÖRME presents the following statements to the attention of third parties who use AYDIN ÖRME’s website.
AYDIN ÖRME reserves the right to update these Personal Data Protection Policy partially or entirely at any time within the framework of changes that may be made in the applicable legislation, and legal changes will be binding on both AYDIN ÖRME and data subject.
3. Responsibilities
3.1 Data Controller
In accordance with the KVKK, any operation performed on data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, inheriting, making accessible, classifying, or preventing the use of, whether fully or partially automatically or non-automatically as part of any data recording system, is considered as processing of personal data.
3.2 Data Processor
Natural or legal persons who process personal data on behalf of AYDIN ÖRME, based on the authority granted by AYDIN ÖRME, within the framework of the relevant legal legislation and the approvals/consents given by the data subjects.
3.3 Responsibility
In the event that personal data are processed by another natural or legal person on behalf of AYDIN ÖRME, with the authority granted by AYDIN ÖRME, AYDIN ÖRME, as the data controller, and the third parties who process the data are jointly responsible for taking the necessary protection and other arrangements/measures required by the relevant legislation. AYDIN ÖRME; Within the scope of its responsibilities under the legislation, as the data controller, periodically audits the compliance of data processors with its privacy policy to ensure that the trust AYDIN ÖRME provide to persons who share their personal data is also maintained in the same way by its business partners, service providers, suppliers, and contractors.
4. Definitions
4.1 AYDIN ÖRME: Aydın Örme Sanayi ve Ticaret Anonim Şirketi
4.2 Consent: Consent given specifically, in accordance with the principles of transparency and free will, for a specific purpose and limited to the purpose of processing data.
4.3 Anonymization: Processing of personal data in such a way that it cannot be associated with any specific or identifiable natural person, even when combined with other data.
4.4 Employee: Employee of Aydın Örme Sanayi ve Ticaret Anonim Şirketi.
4.5 Service Provider: Personnel of a company (supplier, contractor, etc.) that AYDIN ÖRME receives and/or provides services.
4.6 Data Subject: Natural person whose personal data is processed.
4.7 Personal Data: Any information about an identified or identifiable natural person.
4.8 Special Categories of Personal Data: Categories of personal data that, if learned, could lead to the victimization or the discrimination of the person concerned.
4.9 Processing of Personal Data: Any operation performed on data, such as obtaining, recording, storing, maintaining, modifying, reorganizing, disclosing, transferring, transferring, acquiring, making available, classifying or preventing the use of, either fully or partially automatically or manually as part of any data recording system.
4.10 Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
4.11 Data Controller: A natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system, and is obliged to register with the Personal Data Controllers Registry.
4.12 KVK Board: Personal Data Protection Board
4.13 KVK Institution: Personal Data Protection Institution
4.14 KVKK: Personal Data Protection Law No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677.
4.15 Policy: AYDIN ÖRME Personal Data Protection and Processing Policy.
5. Applications
5.1 Collection of Personal Data
Personal data provided by individuals who process transactions on AYDIN ÖRME websites or mobile websites, individuals in commercial relations with AYDIN ÖRME, employees, individuals who visit AYDIN ÖRME workplaces, employees of AYDIN ÖRME, and third parties who enter into any legal, commercial or social relationship with AYDIN ÖRME are processed by AYDIN ÖRME in accordance with their consents and/or provisions of the legislation.
AYDIN ÖRME may match information collected through different methods or at different times, such as online and offline, and use this information in conjunction with information from other sources, such as third parties.
6. Legal Obligations
In accordance with the Personal Data Protection Law No. 6698, AYDIN ÖRME has obligations within the scope of the protection and processing of personal data. These obligations are listed as follows:
6.1 Enlightening
AYDIN ÖRME is obliged to enlighten the data subject when collecting personal data and to provide the following information to the data subject within the scope of the relevant legislation:
- The identity of the data controller and, if any, its representative
- The purpose for which the personal data will be processed
- To whom and for what purpose the processed personal data may be transferred
- The legal basis for collecting personal data
- The rights of the data subject
Within the scope of the enlightening, AYDIN ÖRME will inform the data subjects about the processing of their personal data through different tools. In addition, AYDIN ÖRME attaches importance to the fact that its public policies are understandable to the data subjects.
The tools to be used for how the data subjects will be informed are determined in accordance with the legislation by AYDIN ÖRME’s internal policies.
6.2 Informing
As stated in Article 11 of the Personal Data Protection Law No. 6698, the rights of the data subjects for the protection of their personal data are as explained in this policy. Within the scope of the KVKK, AYDIN ÖRME is obliged to inform the data subjects regarding these rights; this notification will be made within the period prescribed by the legislation.
The aforementioned requests must be submitted to AYDIN ÖRME in accordance with the legislation in writing or by other methods to be determined by the KVK Board. AYDIN ÖRME is working to provide more opportunities for the data subjects to apply and exercise their rights in order not to violate the decision of the Board on this matter.
6.3 Data security obligation
As a data controller, AYDIN ÖRME`s obligations regarding data security, which are derived from Article 12 of the Personal Data Protection Law No. 6698, are specified in this document and legislation. In addition to these, the relevant legal legislation and the compulsory matters imposed by the Board will also be applied by AYDIN ÖRME.
6.4 Obligation to register in the Personal Data Controllers Registry
In accordance with Article 16 of the Personal Data Protection Law No. 6698, AYDIN ÖRME is obliged to register in the Personal Data Controllers Registry.
7. Personal Data Classification
7.1 Personal data:
The Personal Data Protection Law (KVKK) defines personal data as any information about an identified or identifiable natural person. In this context, the person`s data must be identified or identifiable (i.e., it must be possible to identify the person when combined with another piece of information). A person`s name, surname, date of birth and place of birth, identity information, social security number, phone number, address, images, payment information, and similar information are all considered personal data.
The subject data of the Personal Data Protection Law is personal data belonging to the natural persons, and legal persons are excluded from the scope. Therefore, information such as the registration number, trade name, and registration information of a legal entity that does not contain any information about a natural person is not protected as personal data under the KVKK.
7.2 Special categories of personal data
Special categories of personal data are personal information of a nature that could lead to the victimization of the data subject or to discrimination if it is learned. In the KVKK, it is defined as follows:
"Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data."
Processing of special categories of personal data without the explicit consent of the data subject is prohibited except in cases where the law explicitly authorizes such processing.
In this context, AYDIN ÖRME does not process such personal data except in cases where it is required by law, or with the explicit consent of the data subject in accordance with Article 6 of the KVKK.
8. Rules for Processing Personal Data
8.1 Principles to be followed for the processing of personal data:
All collected personal data will be processed in accordance with the principles listed in Article 4 of the KVKK, and the conditions specified in Articles 5 and 6. AYDIN ÖRME is responsible for processing personal data in accordance with the law and the principles of fairness, accuracy, timeliness, specificity, clarity, and legitimacy, in accordance with Article 4 of the KVKK.
Within this framework,
- AYDIN ÖRME is obliged to act in accordance with the rules, prohibitions, rights, and principles stipulated by legislation when processing personal data.
- AYDIN ÖRME will be transparent and comply with the obligations to inform and enlighten when processing personal data in accordance with the principles of good will.
- AYDIN ÖRME will be able to process personal data only for legitimate and legal reasons, that is, for clearly defined and legally legitimate limited purposes, within the scope of the consent it is given if it needs to obtain consent.
- AYDIN ÖRME will process personal data as necessary. In this context, taking into account the principle of proportionality, personal data will not be used outside of the cases required by AYDIN ÖRME`s activities and will only be used for the purpose of those activities. In addition, personal data that is not needed or required to achieve the goal will be avoided from being processed.
- AYDIN ÖRME will retain personal data for the period specified in the relevant legislation or for the period necessary for the purpose for which they are processed, and will not store these data (if possible) without anonymizing them for any reason after the end of this period.
8.2 AYDIN ÖRME`s Purposes for Processing Personal Data
8.2.1. AYDIN ÖRME processes personal data in accordance with Articles 5 and 6 of the Personal Data Protection Law (KVKK), and for the following purposes, with the consent of the data subject in cases where consent is required, within the scope of the legal legislation:
- Personal and contact data: Information such as name, surname, phone, and email is used for communication purposes. In this direction, the data collected are used to improve the operational activities such as business development, marketing, and communication, and to provide better services.
8.2.2. In addition to the purposes stated above, data are collected in general for the following matters.
- To provide information about new services,
- To provide online and offline services,
- To answer questions and provide an effective service,
- To send messages, newsletters, and other publications through e-mail platforms,
- To process personal data for legal requirements and fulfillment of legal obligations,
- To process personal data for the establishment and performance of contracts with the data subjects,
- To record the necessary information such as an address for communication,
- To prepare all records and documents that will be the basis for processing in electronic (internet/mobile, etc.) or paper format,
- To be able to provide information to public authorities in cases where required by law,
- To be able to offer suggestions by our partner institutions and solution partners, and provide information about our services,
- To be able to evaluate complaints and suggestions regarding our services,
- To be able to fulfill our legal obligations and use the rights arising from the current legislation.
8.3 Ensuring that Personal Data is Processed in Accordance with the Law
AYDIN ÖRME is obliged to take the following technical measures to ensure that personal data is processed in accordance with the law:
- To establish an internal organization within the company for the processing and storage of personal data in accordance with the Law,
- To create the technical infrastructure to ensure the security of the databases where personal data will be stored,
- To ensure the monitoring of the technical infrastructure and processes that have been created,
- To determine procedures for reporting the technical measures taken and the auditing processes,
AYDIN ÖRME takes the following administrative measures to ensure that personal data is processed in accordance with the law:
- To inform and train company employees about the protection and processing of personal data in accordance with the law,
- To detail the measures to be taken in cases where personal data is processed illegally by company employees in policies and in the contracts made with the company employees,
- To monitor the personal data processing activities of the data processors and partners it works with.
9. Personal Data Sharing Policy
The sharing of personal data with third parties is carried out with the consent of the data subject and within the framework of the legislation, and as a rule, personal data is not transferred to third parties without the consent of the data subject.
However, personal data can be shared with courts and other public institutions, within the limits of our legal obligations, and in compliance of the legislation on personal data protection.
Personal data can be shared with AYDIN ÖRME shareholders, direct/indirect domestic/foreign subsidiaries, partner institutions and organizations we cooperate with to carry out our activities, persons and institutions in Turkey/abroad where we receive data storage services in the cloud, organizations we have agreements with for sending commercial electronic notifications, banks we have agreements with, and various agencies, advertising companies and survey companies in Turkey and abroad within the scope of various marketing activities, and other third parties in Turkey/abroad and our relevant business partners.
9.1 Transfer of Personal Data Within Turkey
AYDIN ÖRME is obliged to act in accordance with the provisions and rules determined in the KVKK and decisions taken by the KVK Board with regard to the transfer of personal data. Personal data and special categories of personal data belonging to the data subjects cannot be transferred to other natural or legal persons without the explicit consent of the person.
However, in cases where the KVKK and other legislation require it, the data may be transferred to competent administrative or judicial institutions or organizations, without the explicit consent of the data subject, in accordance with the limits determined in the legislation. In addition, personal data may be transferred without the consent of the data subject in cases foreseen in the second paragraph of Article 5 of the KVKK (for example, if it is necessary for the establishment or performance of a contract or for the fulfillment of a legal obligation) or in the third paragraph of Article 6 for special categories of personal data. AYDIN ÖRME may transfer personal data to third parties located in Turkey with whom it cooperates or receives services from, limited to the purpose of carrying out its commercial purposes and activities, taking all necessary security measures in accordance with the legislation, and to prevent their use by the third party after the end of the business relationship with the third party.
9.2 Transfer of Personal Data Abroad
AYDIN ÖRME will not transfer confidential information abroad except in cases where it has received the approval of the data subject. However, AYDIN ÖRME may transfer personal data to be processed or stored in Turkey or abroad. In exceptional cases where the consent for the transfer of personal data specified in the KVKK is not required, in addition to the conditions for processing and transferring without consent, the requirement that the country to which the data is transferred has adequate protections is also required. The KVK Board will determine whether adequate protections are provided, and if adequate protections are not found, both the data controllers in Turkey and the data controllers in the relevant foreign country must commit to providing adequate protection in writing and the permission of the KVK Board must be obtained.
9.3 Measures Taken by AYDIN ÖRME for the Legal Transfer of Personal Data
- Technical measures taken:
AYDIN ÖRME takes measures to prevent unauthorized access, processing, transfer and use of personal data by different subsidiaries within AYDIN ÖRME and different units within the relevant subsidiaries, and natural or legal persons who process personal data on behalf of AYDIN ÖRME based on the authority granted by AYDIN ÖRME.
- Administrative measures taken:
AYDIN ÖRME establishes internal policies regarding how access to personal data should be given to whom and for what purpose of processing for its different subsidiaries, for different units within the relevant subsidiaries, and for natural or legal persons who process personal data on behalf of AYDIN ÖRME based on the authority granted by AYDIN ÖRME.
10. Personal Data Retention Policy
10.1 Retention for the period specified in the relevant legislation or for the period necessary for the purpose of processing:
AYDIN ÖRME retains the personal data it processes in accordance with the Personal Data Protection Law (KVKK) Article 7 and the Turkish Penal Code Article 138 only for the period specified in the relevant legislation or, if no period is specified in the legislation, for the period required for the purpose of processing personal data. The data held will be deleted after the purpose of holding the data has ended, and the maximum period for deletion is determined as an average of 2 years after the purpose of holding the data has ended. However, in cases where a longer or shorter period is foreseen in a mandatory manner within the scope of the legal framework, the data will continue to remain in the system for the period specified in the legislation.
Therefore, different retention periods may be valid for each personal data, depending on the period specified in the relevant legislation or the period necessary for the purpose for which they are processed.
For example, pursuant to Article 253 of the Tax Procedure Law, books and records must be kept for a period of 5 (five) years.
On the other hand, a data may also be processed for multiple purposes, and in such a case, when all the reasons that caused the processing of the relevant data have disappeared, the relevant data will be deleted, destroyed, or made anonymous and retained.
10.2 Measures taken by AYDIN ÖRME for the retention of personal data:
If the reasons for processing them have disappeared, AYDIN ÖRME shall, of its own accord or upon the request of the data subject, delete, destroy, or anonymize personal data that has been processed in accordance with the KVKK and other relevant legislation in such a way that they cannot be used in any way and cannot be retrieved. The procedures and principles for the legal destruction or anonymization of personal data will be carried out in accordance with the principles and rules specified in the personal data protection legislation.
- Technical measures taken:
AYDIN ÖRME will establish the necessary systems and control mechanisms for the deletion, destruction, and anonymization of personal data.
- Administrative measures taken:
AYDIN ÖRME will inform and raise awareness of natural or legal persons who process personal data on behalf of AYDIN ÖRME on the legal retention of personal data; at the same time, it will ensure that these persons take measures to ensure the legal retention and deletion, destruction, or anonymization of their personal data in accordance with the contracts concluded with them.
AYDIN ÖRME is responsible for supervising the personal data retention activities carried out by natural or legal persons who process personal data on its behalf based on the authority it has granted.
11. Personal Data Security Policy
11.1 AYDIN ÖRME`s Obligations Regarding Data Security
Pursuant to Article 12 of the Personal Data Protection Law (KVKK), AYDIN ÖRME`s obligations regarding data security, as a data controller, are as follows:
- AYDIN ÖRME shall take all necessary technical and administrative measures to prevent:
- unlawful processing of personal data;
- unlawful access to personal data;
- the loss or destruction of personal data.
- AYDIN ÖRME shall carry out or have carried out the necessary audits within its organization.
- AYDIN ÖRME shall take the necessary measures to prevent persons who process personal data on its behalf from disclosing or using personal data they have learned during their duties in violation of the provisions of the law, even if they leave their positions.
- AYDIN ÖRME shall notify the data subject and the Board in the event that personal data processed are illegally acquired by others.
11.2 AYDIN ÖRME`s Measures Regarding Data Security
In order to fulfill its obligations regarding data security and to act quickly in cases where security poses a risk, AYDIN ÖRME takes the following measures:
11.2.1. Technical and administrative measures taken to prevent unlawful access to personal data:
The technical and administrative measures to be taken while the processing, transferring, and preserving personal data are listed in the relevant sections. AYDIN ÖRME is obliged to take these measures in full and to prevent unlawful access. However, if third parties still have unlawful access to personal data, AYDIN ÖRME takes all technical and administrative measures to prevent the harm of the data subjects in accordance with the relevant legislation and decisions of the Board on the protection of personal data.
11.2.2. Measures taken regarding the protection of personal data and their supervision:
AYDIN ÖRME`s data recording systems used within the organization are periodically monitored and audited to ensure that they are created and operated in accordance with the KVKK and relevant legislation. Reports are made to the person or body authorized for this purpose to the extent required by the legislation.
AYDIN ÖRME is obliged to inform and raise awareness of natural or legal persons who process personal data on its behalf based on the authority it has granted on the legal protection of personal data. At the same time, it is obliged to provide provisions for the legal protection of the personal data within the framework of the contracts concluded with these persons.
11.2.3. Measures to be taken in case of unauthorized disclosure of personal data:
AYDIN ÖRME is obliged to take measures to prevent the unauthorized disclosure of personal data and to establish an internal policy for this purpose. In addition, in such cases, AYDIN ÖRME, as the data controller, is obliged to inform the data subjects whose personal data is unauthorizedly disclosed and the Board.
12. Rights of the Data Subject
Pursuant to the Personal Data Protection Law (KVKK), the data subjects have the following rights with respect to their personal data:
- To learn whether their personal data is being processed;
- To request information if their personal data is being processed;
- To learn the purpose of processing and whether it is being used for that purpose;
- To know the third parties to whom their personal data is transferred within or outside Turkey;
- To request that their personal data be corrected if it is incomplete or inaccurate, or if it has changed;
- To request that their personal data be erased or destroyed under the conditions set forth in Article 7 of the KVKK;
- To request that the third parties to whom their personal data has been transferred be informed of the actions taken pursuant to subparagraphs 5 and 6 above;
- To object to the outcome which is against them that arises as a result of their personal data being analyzed solely through automated systems;
- To request compensation for damages if they suffer damage due to the processing of their personal data in violation of the KVKK.
Personal Data Access Right
The data subjects have the right to access their personal data free of charge. Therefore, AYDIN ÖRME undertakes to provide the data subjects with the following rights under the relevant legislation:
- The right to learn whether their personal data is being processed;
- The right to request information about the processing of their personal data if it is being processed;
- The right to learn the purpose of processing their personal data and whether it is being used for that purpose;
- The right to request to learn the third parties to whom their personal data is transferred within or outside Turkey.
The Data Subject`s Right to Change and/or Delete Their Personal Data
The data subject has the right to change or delete their personal data free of charge. In this context, the data subject has the following rights:
- The right to request that their personal data be corrected if it is incomplete or inaccurate;
- The right to request that their personal data be erased or destroyed if the reasons for processing their personal data cease to exist;
- The right to request that the third parties to whom their personal data has been transferred be informed of the above-mentioned correction, deletion, or destruction procedures;
- The right to object to the outcome which is against them that arises as a result of the data being processed solely through automated systems.
Keeping Personal Data Up-to-Date
Pursuant to the KVKK, we are under an obligation to ensure that your personal data is accurate and up-to-date when necessary. Therefore, please inform us of any changes in your status in order to keep your personal data accurate and up-to-date.
The Data subject`s Application and Evaluation of the Application
The data subjects may submit a request to AYDIN ÖRME, without any restrictions, within the scope of the rights provided by the relevant legislation, in order to provide the fastest possible access to the personal data processed by AYDIN ÖRME and to use the rights mentioned above. AYDIN ÖRME will create the necessary application channels to meet these access requests. Applications are answered as soon as possible and in any case within the period foreseen in the KVKK.
The data controller’s representative will resolve the requests related to the processing and protection of personal data free of charge within the shortest possible time and in any case within 30 days at the latest, depending on their nature. In any case, the data subject can contact AYDIN ÖRME through one of the communication channels under the previous paragraph and submit their request.
In order for this period to begin, the requests made by the data subjects must be sent to the data controller or its representative in writing or by other methods determined by the KVK Board, and the documents that identify the data subject must also be sent in full. Until a specific method is determined by the Board, applications must be made in writing. The data subject must clearly state which right they are exercising during the application and send it to the AYDIN ÖRME headquarters by registered mail with return receipt, and if necessary, with information and documents.
The requests made by the data subject are accepted or rejected by the data controller or its representative, explaining the reason in compliance with the legislation, and a written or electronic response will be sent. If the application is accepted, AYDIN ÖRME will take the necessary action. In some cases, the application could not be responded positively due to legal obligations or other reasons specified in Article 5 and 6 of the KVKK regarding the request for processing/changing/deleting personal data. In this case, the reasons will be explained in detail in the rejection and the legal basis will be explained.
In cases where the application is rejected by AYDIN ÖRME in compliance with the legislation, or the answer is found to be insufficient, or no answer is given within the specified period; the data subject has the right to complain to the KVK Board within 30 (thirty) days from the date of learning the answer and in any case within 60 (sixty) days from the date of application.
13. Publication of This Data Policy
This personal data policy will be notified to data subjects within the scope of the legal obligation of enlightenment and will also be published on the AYDIN ÖRME websites.
14. Changes and Updates
The rights of the data subjects under the KVKK are the obligations of AYDIN ÖRME. In this context, if a change is required in accordance with AYDIN ÖRME`s economic and commercial decisions or legislation or decisions of the KVK Board, the data subjects will be notified via at least one of their existing registered communication information, such as e-mail, SMS, voice message, etc.