SARMAŞIK CLOTHING CONSTRUCTION FOOD ELEK. SINGING. AND FOREIGN TRADE. Inc.

PROCESSING AND PROTECTION OF PERSONAL DATA POLICY

LOGIN

 

Our company SARMAŞIK GİYİM İNŞAAT GIDA ELEK. SINGING. AND FOREIGN TRADE. Inc. (hereinafter referred to as "Sarmaşık Giyim") Ehlibeyt Mah. 6.Sokak No: 25-B Balgat Çankaya/ANKARA is a legal entity.

Tugba Giyim is the data controller within the scope of the Law No. 6698 on the Protection of Personal Data (hereinafter referred to as the "PDP Law"). Personal data owners are natural persons whose personal data are collected, processed and transferred in accordance with the PDP Law No. 6698 and the provisions of other legislation to which Tugba Giyim is subject, for the purposes stated below.

Sarmaşık Giyim attaches great importance to the security of personal data. With this awareness, the personal data of the personal data owners, the PDP Law No. 6698, the Regulation on the Deletion, Destruction or Anonymization of Personal Data, which was published in the Official Gazette dated October 28, 2017, which constitutes the secondary regulations of the Law, and the Regulation on the Anonymous It is processed and stored in accordance with the Regulation on the Data Controllers Registry and other relevant regulations.

PURPOSE AND SCOPE OF PREPARING THE POLICY

  1. With the policy, it is aimed that the regulations to be brought by Sarmaşık Giyim within the framework of the basic principles to be explained below in order to comply with the PDP Law, are effectively implemented by Sarmaşık Giyim's shareholders, officials, employees and business partners.
     
  1. In line with the basic regulations envisaged by the policy, all kinds of administrative and technical measures will be taken in terms of the processing and protection of personal data within the operation of Sarmaşık Giyim, necessary internal procedures will be established, all necessary trainings will be made to raise awareness. Appropriate and effective control mechanisms will be established by taking all necessary measures for
     
  1. The policy regulates the basic principles to be observed in all these processes and the matters that Sarmaşık Giyim is responsible for directing the internal functioning in accordance with the regulations introduced by the PDP Law. With the internal procedures to be established within the framework of the PDP Law and the relevant legislation, compliance activities to be carried out by Sarmaşık Giyim for the protection of personal data will be regulated. All employees of Sarmaşık Giyim are obliged to act in accordance with the regulations introduced by this Policy and the provisions of the PDP Law and all other relevant legislation while performing their duties.
  1. In case of non-compliance with the Policy and the provisions of the relevant legislation, in addition to the criminal and legal liability stipulated by the provisions of the legislation, sanctions that may go up to the termination of the contract with just cause will be applied within the framework of the legislation regulating business life, depending on the nature of the event.

DEFINITIONS

The following terms in this Policy;

  • Explicit consent: Consent on a specific subject, based on information and expressed with free will,
  • Making it anonymous: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,
  • Chairman: Chairman of the Personal Data Protection Authority,
  • Relevant person: The real person whose personal data is processed,
  • Personal data: Any information relating to an identified or identifiable natural person,
  • Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, all kinds of operations carried out on the data, such as the classification or prevention of its use,
  • Deletion of Personal Data: The process of making personal data inaccessible and unusable for the relevant users,
  • Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and reusable by anyone,
  • Board: Board: Personal Data Protection Board,
  • Institution: Personal Data Protection Authority,
  • Private Personal Data: Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data,
  • Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
  • Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
  • Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
  • Regulation: Regulation on Data Controllers Registry,

means.

In accordance with paragraph 1 of Article 11 of the Regulation, responsible persons have been appointed by Sarmaşık Giyim regarding the PDP procedure and necessary measures have been taken.

 

GENERAL PRINCIPLES OF PROCESSING PERSONAL DATA

Sarmaşık Giyim accepts that it will process the personal data remaining within the scope of this Policy in accordance with the following principles in accordance with Article 4 of the PDP Law:

Compliance with the law and the rule of honesty; Sarmaşık Giyim, as a data controller and as a prudent trader, will carry out personal data processing activities in accordance with the provisions of all legislation in force and to come into force, especially the Constitution and the PDP Law, and in accordance with the honesty rule stipulated by Article 2 of the Civil Code. accepts. 

Accuracy and Timeliness; Sarmaşık Giyim takes all necessary measures to ensure the accuracy and up-to-dateness of personal data, to the extent permitted by the technique, in the processing of personal data. Administrative and technical mechanisms established by Sarmaşık Giyim will be operated for the correction and verification of incorrect or out-of-date personal data in line with the requests of the data subject to be notified to Sarmaşık Giyim in the capacity of data controller and the situations that Sarmaşık Giyim will deem necessary.

Processing for Specific, Explicit and Legitimate Purposes; Personal data is processed by Sarmaşık Giyim in accordance with the law, limited to the services offered or to be provided with the requirements of the relevant legislation provisions, and the purpose of processing personal data is determined clearly and precisely before the data is processed.

Processing Data Relating to the Purpose for which they are Processed, Limited and Measured; Personal data is processed by Sarmaşık Giyim in connection with and limited to the purposes of processing and to the extent necessary for the realization of this purpose. In this context, it is essential to avoid the processing of personal data that is not related to the purpose of processing the data and that is not needed.

Processing Limited to the Time Provided by the Legislative Provisions or Required by the Purpose of Processing; Personal data are kept in line with the periods stipulated by the provisions of the relevant legislation or for the period required by the purpose of processing the data. Personal data is deleted, destroyed or anonymized by Sarmaşık Giyim at the end of the period stipulated by the provisions of the legislation or at the end of the period required for the purpose of processing the data. Necessary administrative and technical measures will be taken to prevent data from being retained at the end of the required period.

 

PERSONAL DATA PROCESSING CONDITIONS

The processing conditions of personal data are regulated by the PDP Law, and personal data is processed by Sarmaşık Giyim in accordance with the conditions stated below.

 

  1. General Conditions for Processing Personal Data
    Apart from the exceptions listed in the Law, Sarmaşık Giyim processes personal data only by obtaining the explicit consent of the data owners. In the presence of the following situations listed in the Law, personal data can be processed even without the explicit consent of the data owner:
  • Clearly stipulated in the law,
  • It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid,
  • It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
  • It is mandatory for the data controller to fulfill its legal obligation, 
  • Having been made public by the data owner himself,
  • Data processing is mandatory for the establishment, exercise or protection of a right,
  • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner.

 

  1. Conditions for Processing Special Quality Personal Data
    Sarmaşık Giyim shows special sensitivity in the processing of special quality personal data, which is believed to be of more critical importance for data owners from various aspects. In this context, provided that adequate measures determined by the Board are taken, such data are not processed without the explicit consent of the data owners. However, special categories of personal data other than health and sexual life data can also be processed without the explicit consent of the data owner in cases stipulated by law. However, data related to health and sexual life can be processed without obtaining explicit consent, provided that adequate precautions are taken and in the presence of the following reasons:
  • Protection of public health,
  • Preventive medicine,
  • Medical diagnosis,
  • Execution of treatment and care services,
  • Planning and management of health services and its financing.

 

METHODS OF OBTAINING AND PROCESSING PERSONAL DATA

In this context, your personal data may be collected by natural or legal persons who process data on behalf of Sarmaşık Giyim or Sarmaşık Giyim, but not limited to those listed, in writing or electronically, by the methods specified below;

  • Notifications made during campaigns made through communication channels such as e-mail, telephone and social media accounts,
  • Job contract and internship platforms,
  • The institutions with which our company has professional relations, their signature circulars,
  • Powers of attorney, contracts,
  • Various contracts you have signed with our company and all kinds of e-mails, requests, work orders, faxes and letters you have sent to our company,
  • Third party company(s) that processes data on behalf of our company or supports our company at any stage of the membership program process,
  • Our customer service channels, including our employees, digital marketing and call center,
  • social media channels,

    It is obtained through the data recording system and is processed in the inventory in this way.
    We would also like to mention that the legal reasons for data processing; In case it is expressly stipulated in the laws pursuant to PDPL art.5/2/a and art.6/3;
  • Pursuant to art.5/2/c, for the establishment, performance and termination of the contract, if any, with the data owner or the institution to which it is affiliated,
  • In order for the Company to fulfill its legal obligations pursuant to art.5/2/ç,
  • have been made public by you in accordance with art.5/2/d,
  • In cases where it is compulsory for the legitimate interests of the data controller, such as the promotion of the institution, provided that it does not harm the fundamental rights and freedoms of the data subjects pursuant to art.5/2/f.

    In cases where there is no legal reason specified here and in the Law, your personal data will be processed, if necessary, with your explicit consent in accordance with art.5/1 and art.6/2.
  1. Personal Data Subject Groups

Personal Data Subject Groups

Description

Ivy Clothing

Shareholders

Real persons shareholder of Sarmaşık Giyim

Ivy Clothing

Officials

Board member of Sarmaşık Giyim and other authorized natural persons

Employees/Interns

Real persons working or interning at Sarmaşık Giyim

Employee Candidates

Real persons who have applied for a job in any way or have opened their CV and related information to Sarmaşık Giyim for review, but who do not work or do internships within Sarmaşık Giyim

Employees, Shareholders and Authorities of the Institutions We Collaborate with (Sarmaşık Giyim's goods and service suppliers, business partners, etc.)

All kinds of businesses, including the institutions (such as but not limited to business partners, goods and service suppliers) with which Sarmaşık Giyim has business relations with or without a contractual relationship, in order to provide operational services, develop investments and carry out commercial activities. is in a relationship with; natural persons, including shareholders, employees and officials of institutions
  1. Data Categorization

Data Categorization

Data Categorization Description

Credentials

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; data that contains information about the identity of the person; name-surname, T.C. Documents such as driver's license, identity card and passport that contain information such as identity number, nationality information, mother's name and father's name, place of registration and other population information, place of birth, date of birth, gender, marital status, tax number, SGK number, signature information etc. informations

Communication information

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; information such as telephone number, address, e-mail address, fax number

Location Information

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Within the framework of the activities carried out by Sarmaşık Giyim, information about the location of the personal data owner (where he is located, etc.) in order to protect the legal and other interests of the personal data owner of the company.

Financial Information

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Financial personal data processed for information, documents and records that vary according to the type of legal relationship Sarmaşık Giyim has established with the personal data owner, bank account number, bank account information, (IBAN number, account holder, etc.), credit card information, etc. and employees' financial and salary details, payrolls, premium progress, premium amounts, file and debt information related to enforcement proceedings, bank account book, minimum living allowance information, private health insurance amount, etc.

Personal Information and

Professional Experience Information

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Information that will be the basis for the formation of the personal rights of real persons who are in a working relationship with Sarmaşık Giyim and that is required by law to be included in the personnel file (Educational status, certificate and diploma information, foreign language information, education and skills, CV, courses taken, Leave seniority base date, leave seniority additional days, leave group, exit/return date, day, reason for taking leave, address/phone to be taken on leave, position name, department and unit, title, last date of employment, date of entry/exit, insurance entry/retirement, social security number, flexible hours working status, travel status, number of working days, projects worked, monthly total overtime information, severance pay base date, severance pay extra days, days on strike, employee internet access logs, all kinds of input and output logs. personal data and the performance required for the employee to progress in his/her position (Education and skills, information on which training he received on which date , e-mail, signed participation form, customer interview quality evaluation form, monthly performance evaluation and target realization status, activity) information

Health Information

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; Information on disability, blood group information, personal health information, device and prosthesis information, etc. specified in Article 6 of the PDP Law. data.

Legal action

Clearly belonging to an identified or identifiable natural person; Personal data obtained as a result of correspondence with judicial authorities, litigation and enforcement proceedings, which are partially or fully processed automatically or non-automatically as part of the data recording system.

Customer Transaction

Clearly belonging to an identified or identifiable natural person; Personal data obtained for reasons such as invoices, cheques, promissory notes, box office receipts, request and order forms that are processed partially or completely automatically or non-automatically as part of the data recording system.

Transaction Security

Clearly belonging to an identified or identifiable natural person; processed partially or fully automatically or non-automatically as part of the data recording system; IP address information, website login and exit information, password and password information, etc. Personal data obtained for the purpose of ensuring the transaction security of the data owner within the scope of online platforms such as

Marketing

Clearly belonging to an identified or identifiable natural person; Personal data obtained for reasons such as shopping history information, surveys, campaigns, contracts, which are processed partially or completely automatically or non-automatically as part of the data recording system.

Physical Space Security and Audio/Audio Recordings

Clearly belonging to an identified or identifiable natural person; Personal data obtained in accordance with the security cameras in Tugba Giyim, which are processed partially or completely automatically or non-automatically as part of the data recording system.
  1. Purposes of Collection and Processing of Personal Data of Personal Data Owners in Personal Data Subject Groups
    Personal data is processed by our company in accordance with the Law for the following purposes:
     
  • Execution of Emergency Management Processes
  • Execution of Information Security Processes
  • Execution of Employee Candidate Processes
  • Execution of Application Processes of Employee Candidates
  • Fulfillment of Employment Contract and Legislative Obligations for Employees
  • Execution of Benefits and Benefits Processes for Employees
  • Conducting Audit and Ethical Activities
  • Conducting Educational Activities
  • Execution of Activities in Compliance with the Legislation
  • Execution of Finance and Accounting Affairs
  • Execution of Company/Product/Services Loyalty Processes
  • Providing Physical Space Security
  • Execution of Assignment Processes
  • Follow-up and Execution of Legal Affairs
  • Execution of Communication Activities
  • Planning of Human Resources Processes
  • Continuing Occupational Health and Safety Activities
  • Conducting Business Continuity Ensuring Activities
  • Receiving and Evaluating Suggestions for Improvement of Business Processes
  • Carrying out Internal Audit / Investigation / Intelligence Activities
  • Execution of Logistics Activities
  • Execution of Goods/Services Purchase Processes
  • Execution of Goods/Service Sales Processes
  • Management of Goods/Services Production and Operation Processes
  • Execution of Goods/Services After Sales Support Services
  • Execution of Customer Relationship Management Processes
  • Execution of Activities for Customer Satisfaction
  • Organization and Event Management
  • Execution of Marketing and Analysis Studies
  • Execution of Performance Evaluation Processes
  • Execution of Advertising / Campaign / Promotion Processes
  • Execution of Risk Management Processes
  • Execution of Storage and Archive Activities
  • Execution of Contract Processes
  • Follow-up of Requests / Complaints
  • Ensuring the Security of Movable Property and Resources
  • Execution of Wage Policy
  • Execution of Marketing Processes of Products / Services
  • Ensuring the Security of Data Controller Operations
  • Execution of Talent/Career Development Activities
  • Execution of Management Activities
  • Providing Information to Authorized Persons, Institutions and Organizations
  • Purposes of Creating and Tracking Visitor Records

 

  1. Associating Data Subject Groups with Data Categories of These Persons

Personal Data Categorization

Data Owner Category to which the Relevant Personal Data is Related

Credentials

Employee candidate, Employee, Other-Legal Person Employee with whom Commercial Relationship is Established, Other-Real and Legal Persons with which Commercial Relationship is Established, Other-Reference Person for Employee Candidates, Other-Trainer, Other-Deputy Coordinator to Contact, Other-Legal Representative, School Manager, Employer, Other-Worker and/or Employer Owned, Other-Foreign Employee and/or Employer Owned, Other-Branches of Shopping Center, Shareholder/Partner, Potential Product or Service Buyer, Supplier Employee, Supplier Official, Product or Service Recipient, Intern

Communication information

Employee candidate, Employee, Other-Commercial Relationship Established Employee, Other-Commercial Relationship Established Natural Person and Employee, Shareholder/Partner, Supplier Employee, Supplier Official, Product or Service Recipient, Intern , Subject of the News

Location

Employee Candidate, Employee, Shareholder/Partner, Product or Service User

Personnel

Employee Candidate, Employee, Other-Employee's Spouse and Children, Other-Employee's Dependents, Intern

Finance

Employee, Other-Bank Employee and Other Employee, Other-Real Person with which Commercial Relationship is Established, Other-Commercial Relationship Established Legal Person and its Authorized Person, Shareholder/Partner, Product or Service Recipient

Legal action

Employee, Shareholder/Partner

Customer Transaction

Potential Product or Service Buyer, Product or Service Recipient

Physical Space Security, Audio/Audio Recordings

Employee, Employee Candidate, Potential Product or Service Purchaser, Product or Service Purchaser, Visitor, Visitor, Other-Real Person with Commercial Relationship

Professional experience

Employee, Employee Candidate, Intern

Marketing

Potential Product or Service Buyer, Product or Service Purchaser, Supplier Employee, Supplier Official

Health information

Employee, Trainee

Transaction Security

Potential Product or Service Buyer, Product or Service Recipient

PRINCIPLES OF TRANSFERRING PERSONAL DATA

Sarmaşık Giyim, within the scope of the personal data processing conditions specified in the 5th and 6th articles of the PDP Law No. 6698 and limited to the purposes specified in this Policy, in accordance with the 8th and 9th articles of the PDP Law. to individuals and institutions.

The scope of the above-mentioned persons to whom the transfer is made and the data transfer purposes are stated below. These persons and Institutions;

  1. Sarmaşık Giyim business partners, affiliates and subsidiaries,
  2. Ivy Clothing suppliers,
  3. Sarmaşık Giyim departments and officials
  4. Sarmaşık Giyim Sanayi Ticaret Ltd. Şti. Sti. shareholder/partners,
  5. Banks,
  6. Public institutions and organizations that are legally authorized to receive information,
  7. They are private law/public law legal persons authorized to obtain legal information. 

RECIPIENT GROUPS THAT CAN BE TRANSFERRED TO DATA

DEFINITION

PURPOSE OF TRANSFER OF PROCESSED DATA

Partner/ Affiliates/ Subsidiaries

It defines the parties with which Sarmaşık Giyim establishes business partnerships for purposes such as carrying out various projects and receiving services while carrying out its commercial activities.

Limited to ensure the fulfillment of the purposes for which the business partnership was established.

Supplier

It defines the parties that provide services to Sarmaşık Giyim on a contract basis or without a contract in accordance with the orders and instructions of Tugba Giyim while carrying out the commercial activities of Sarmaşık Giyim.

To ensure that the services that Sarmaşık Giyim obtains from the supplier and necessary to carry out its commercial activities are provided to Sarmaşık Giyim.

Banks

Private and public banks working with Sarmaşık Giyim and working in various fields including payment of monthly wages

Limited to the information that is mandatory to be shared in accordance with the Contracts, assignments and relevant legal legislation regarding the rights and receivables of Sarmaşık Giyim.

Company officials

Tugba Giyim board members and other authorized natural persons

In accordance with the provisions of the relevant legislation, limited to the purposes of designing the strategies for the commercial activities of Tugba Giyim, ensuring the highest level of management and auditing.

Legally Authorized Public Institutions and Organizations

Public institutions and organizations authorized to receive information and documents from Tugba Giyim in accordance with the provisions of the relevant legislation.

Limited to the purposes requested by the relevant public institutions and organizations within their legal authority.

Legally Authorized Private Law Persons

Private law persons authorized to receive information and documents from Tugba Giyim in accordance with the provisions of the relevant legislation

Limited to the purpose requested by the relevant private legal persons within the scope of their legal authority.

                                                       

Within the scope of Article 5 of the PDPL, our Company transfers the data of personal data owners without express consent in the following cases:

  • If the processing of personal data is directly related to the establishment or performance of a contract and is necessary,
  • In case the processing of personal data is necessary for our company to fulfill its legal obligation,
  • Provided that the personal data has been made public by the data owner; in a limited way for the purpose of publicizing,
  • In case the processing of personal data is necessary for the establishment, exercise or protection of the rights of our company or the data owner or third parties,
  • In case it is necessary to process personal data for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the data owners.

In order to transfer private data, it is obligatory to obtain the explicit consent of the data owner, except for the exceptions stated in Article 6 of the PDPL and listed below.

The relevant exceptions are the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, if the personal data of the personal data owner is sensitive to his health and sexual life; It can be transferred without explicit consent by persons or authorized institutions and organizations under the obligation to keep secrets.

 

As a rule, no data is transferred abroad by our company, and all necessary administrative and technical measures are taken to prevent personal data from being transferred abroad.

STORAGE OF PERSONAL DATA

The personal data we obtain is securely stored in physical or electronic environment for an appropriate period of time in order for Tugba Giyim to continue its activities. Within the scope of these activities, Tugba Giyim acts in accordance with the obligations stipulated in all relevant legislation, especially the PDP Law, regarding the protection of personal data. Except for the cases where the personal data is allowed to be stored for a longer period or is mandatory, in the event that the purposes of processing the personal data obtained are terminated, the data will be deleted, destroyed or anonymized by Tugba Giyim ex officio or upon the request of the owners.

In cases where the data controller has a legitimate interest, personal data may be stored within the general statute of limitations (ten years), provided that it does not harm the fundamental rights and freedoms of the data subjects, despite the expiration of the purpose of processing and the periods specified in the relevant laws. After the expiry of the aforementioned statute of limitations, personal data is deleted, destroyed or anonymized according to the procedure in the Disposal Policy (For detailed information, we refer to our Destruction Policy on Deletion, Destruction and Anonymization of Personal Data on our website at www.tugba.com. We highly recommend checking it out).

 MEASURES RELATED TO THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the PDPPDPL Law, Tugba Giyim takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent illegal access to the data and to ensure the preservation of the data, and to carry out the necessary audits in this context. or is making. In the event that the processed personal data is captured by third parties by unlawful means, despite all the technical and administrative precautions, Tugba Giyim informs the relevant units as soon as possible.

Technical Measures

  • In order to control access to information and prevent unauthorized access, taking into account the conscious or unconscious threats that may be created by people working within the organization, log reporting and necessary security controls have been implemented in all relevant areas via software and hardware devices.
  • Layered network security measures have been established in the company against threats from external networks.
  • Technical measures are taken in accordance with the developments in technology, the measures taken are periodically updated and renewed.
  • Access and authorization technical solutions are implemented in accordance with the legal compliance requirements determined on the basis of the business unit.
  • Access privileges are limited.
  • The technical measures taken are checked periodically, the risky issues are re-evaluated and the necessary technological solution is produced.

 

  • Software and hardware including virus protection systems and firewalls are installed.
  • Firewall, antivirus software, firewalls, VPN software/hardware, content controllers, central management software are used in Company Computer systems.
  • Personnel knowledgeable in technical matters are employed.
  • Security scans are regularly performed to detect security vulnerabilities in applications where personal data is collected. The vulnerabilities found are closed.
  • Provides control of system vulnerabilities by taking penetration test service when needed.
  • The destruction of personal data is ensured in a way that cannot be recycled and leaves no audit trail.

 

Administrative Measures

  • Contracts concluded by Tugba Giyim with the persons to whom personal data are transferred in accordance with the law; Provisions are added that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and ensure that these measures are complied with in their own institutions.
  • It is necessary to act in accordance with the obligations stipulated by the PDP Law in order to legally process personal data on all kinds of documents that regulate the relationship between Tugba Giyim personnel and contain personal data, that personal data should not be disclosed, personal data should not be used unlawfully, and that the confidentiality obligation regarding personal data must be fulfilled. It has added records that the employment contract with Tugba Giyim continues even after the termination, and the failure of the personnel to comply with these obligations requires the application of sanctions that may lead to the termination of the employment contract.
  • Contracts concluded by Tugba Giyim with the persons to whom personal data are transferred in accordance with the law; Provisions are added that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and ensure that these measures are complied with in their own institutions.
  • Employees are trained on technical measures to prevent unlawful access to personal data.
  • Access to personal data and authorization processes are designed and implemented in Tugba Giyim in accordance with the legal compliance requirements for personal data processing on a business unit basis.
  • It is necessary to act in accordance with the obligations stipulated by the PDP Law in order to legally process personal data on all kinds of documents that regulate the relationship between Tugba Giyim personnel and contain personal data, that personal data should not be disclosed, personal data should not be used unlawfully, and that the confidentiality obligation regarding personal data must be fulfilled. It has added records that the employment contract with Tugba Giyim continues even after the termination, and the failure of the personnel to comply with these obligations requires the application of sanctions that may lead to the termination of the employment contract.
  • Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the PDP Law and cannot be used for purposes other than processing, and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction.
  • Contracts concluded by Tugba Giyim with the persons to whom personal data are transferred in accordance with the law; Provisions are added that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data and ensure that these measures are complied with in their own institutions.
  • In case the processed personal data is obtained by others unlawfully, it notifies the person concerned and the Board as soon as possible.
  • It employs knowledgeable and experienced personnel about the processing of personal data and provides its personnel with the necessary training within the scope of personal data protection legislation and data security.
  • It carries out and has the necessary inspections made in order to ensure the implementation of the provisions of the Law in its own legal entity. Eliminates privacy and security vulnerabilities that arise as a result of audits.
  • Tugba Giyim is responsible in accordance with Article 12 of the PDP Law for the third parties to which it transfers personal data, in accordance with the provisions of this Policy and the PDP Law, to fulfill its obligations to process and preserve the data and to access the data in accordance with the law. For this reason, Tugba Giyim should take commitments that include fulfilling these conditions in contracts and all kinds of regulations while transferring data to third parties and authorizing it to conduct audits. Again, Tugba Giyim should specifically inform all its personnel about the responsibilities arising from the processes of transferring personal data to third parties.

 

 

Supervision of the Measures Taken for the Protection of Personal Data

Within the scope of the PDP Law, Tugba Giyim has registered in the VERBIS system as the data controller. In the first paragraph of Article 11 of the Regulation, “Data controller obligations of legal persons residing in Turkey within the scope of the Law are fulfilled by the authorized body authorized to represent and bind the legal entity in accordance with the provisions of the relevant legislation, or by the person or persons specified in the relevant legislation. The body authorized to represent the legal entity may assign one or more persons regarding the obligations to be fulfilled in terms of the implementation of the Law. Pursuant to this regulation, PDP  responsible persons have been determined by our company, and audits are carried out periodically and from time to time by these responsible persons.

LIGHTING OBLIGATION OF THE DATA RESPONSIBLE

 Within the scope of Article 10 of the PDP Law, data owners must be informed before or at the latest during the acquisition of personal data. The information to be conveyed to the data owners within the framework of the said disclosure obligation is as follows:

 

  1. Identity of the data controller and its representative, if any,
  2. For what purpose personal data will be processed,
  3. To whom and for what purpose the processed personal data can be transferred,
  4. Method and legal reason for collecting personal data,
  5. Other rights listed in Article 11 of the PDP Law.

In this context, our Company informs the personal data owner of the rights of the personal data owner in accordance with Article 10 of the PDP Law and guides the personal data owner on how to use these rights. It carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the Law.

In order to fulfill its obligation of disclosure, Tugba Giyim has prepared disclosure statements on the basis of the process and the persons whose data is processed, to be submitted to the data owners within the scope of the above-mentioned PDP Law. After the disclosure statements are submitted to the data owners, explicit consent statements have been prepared for data processing activities and data categories that require the explicit consent of the data owner in order for Tugba Giyim to carry out its commercial activities. In the express consent declarations prepared for the data owners, in parallel with the European Union regulations that form the basis of the PDP Law, the data owners are given the right to choose whether their personal data can be processed by Tugba Giyim and they are informed about the consequences that may occur if the explicit consent cannot be obtained.

OTHER OBLIGATIONS OF THE DATA CUSTOMER

Lighting Obligation: A Clarification Text has been issued regarding the data processed by Tugba Giyim and the relevant persons have been informed about the process.

Obligations Regarding Data Security: Our company undertakes to fulfill all its obligations to prevent the unlawful processing of personal data, to prevent illegal access to this data and to ensure that they are kept in accordance with the law. The company has established a data recording system that determines the purposes and means of processing personal data.

Obligation to Make or Have an Inspection: Our company undertakes to carry out / have had the necessary audits done in order to ensure the implementation of the provisions of the law, in order to process personal data in accordance with the procedures and principles stipulated in the law.

Confidentiality Obligation: Our company undertakes that it will not disclose or allow others to use the personal data it processes, except for the data that it informs about illegal transfer and obtains its explicit consent. This commitment continues even when the data controller or data processors assigned during the processing leave their duties.

Obligation to Notify in Case of Violation: In the event that the data it processes is obtained by others illegally, our company will notify the relevant person and the Board as soon as possible.

Obligation to Answer the Applications Made by the Related Persons and Fulfill the Board Decisions: Tugba Giyim will respond to the requests regarding the implementation of the Law submitted to it by the data owners in writing or by other methods to be determined by the Board, as soon as possible and within thirty days at the latest, free of charge. If this process requires a cost, Tugba Giyim may request the fees in the tariff determined by the Board from the person making the request.

Obligation to Register in the Data Controllers Registry: Tugba Giyim will complete its registration on the date and time to be announced by the Personal Data Protection Board.

RIGHTS OF THE DATA SUBJECT AND THE USE OF THESE RIGHTS

  1. Data Subject's Rights

As a data owner, we would like to state that you have the following rights in accordance with Article 11 of the Law:

  • Learning whether your personal data is processed,
  • If your personal data has been processed, requesting information about it,
  • To learn the purpose of processing your personal data and whether they are used in accordance with the purpose,
  • Knowing the third parties to whom your personal data is transferred, in the country or abroad,
  • Requesting correction of your personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
  • Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist despite the fact that it has been processed in accordance with the Law and other relevant law provisions, and requesting that the process carried out within this scope be notified to the third parties to whom your personal data has been transferred,
  • Objecting to this if a result arises against you by analyzing the processed data exclusively through automated systems,
  • To request the compensation of the damage in case you suffer damage due to the unlawful processing of your personal data.

If you apply to our company regarding your rights listed above, your applications will be concluded free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request; however, if the transaction requires an additional cost, you may be charged a fee according to the tariff to be determined by the Personal Data Protection Board. When necessary, detailed and additional information may be requested in order to better understand the request. The procedures and principles of the application are explained below.

Personal data owners cannot claim the rights of personal data owners listed in section 11 on these matters, as the following cases are excluded from the scope of the PDP Law in accordance with Article 28 of the PDP Law:

  1. Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.
  2. Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
  3. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.

 

  1. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to article 28/2 of the PDP Law; In the cases listed below, personal data owners cannot claim their other rights listed in section 11, except for the right to demand the compensation of the damage:

 

  1. The processing of personal data is necessary for the prevention of crime or for criminal investigation.
  2. Processing of personal data made public by the personal data owner.
  3. Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
  4. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

 

  1. Exercise of Personal Data Owner's Rights 

 

Data owners will be able to submit their requests regarding their rights listed above to Tugba Giyim free of charge by filling out and signing the Application Form in ANNEX-1, with the information and documents that will determine their identities, and using the methods specified below or other methods determined by the Personal Data Protection Board:

(a) an e-mail to the e-mail address [email protected]

(b) Ehlibeyt Mah. 6.Sokak No:25-B Balgat Çankaya/ANKARA in person or by sending an Application Form through a notary public.

In order for third parties to apply on behalf of personal data owners, a special power of attorney issued by the data owner through a notary public on behalf of the person to apply must be present.

 

 

  1. Right of Personal Data Owner to Complain to the PDP Board

 

In cases where the application is rejected, the response given is insufficient, or the application is not answered in due time, in accordance with Article 14 of the Personal Data Owner PDP Law; Tugba Giyim can make a complaint to the PDP Board within thirty days from the date of learning the answer and probably within sixty days from the date of application.

 

TUGBA GİYİM'S ANSWER TO APPLICATIONS

  1. Tugba Giyim's Response Procedure and Time to Applications

 If the personal data owner submits his request to Tugba Giyim in accordance with the procedure set out in this policy, Tugba Giyim will conclude the relevant request free of charge within thirty days at the latest, depending on the content of the request. However, if a fee is foreseen by the PDPL Board, Tugba Giyim will collect the fee in the tariff determined by the PDPL Board from the applicant.

  1. Information that Tugba Giyim may request from the Applicant Personal Data Owner

Tugba Giyim may request information from the person concerned in order to determine whether the applicant has personal data. Tugba Giyim may ask questions about the personal data owner's application in order to clarify the issues in the application of the personal data owner.

  1. Tugba Giyim's Right to Reject the Application of the Personal Data Owner

Tugba Giyim may reject the application of the applicant in the following cases by explaining the reason:

Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.

  1. Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
  2. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  3. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
  4. The processing of personal data is necessary for the prevention of crime or for criminal investigation.
  5. Processing of personal data made public by the personal data owner.
  6. Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
  7. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
  8. The possibility of the personal data owner's request to prevent the rights and freedoms of other persons
  9. Making demands that require disproportionate effort
  10. The requested information is publicly available.

REVISION AND REVOCATION

In case this Policy is revised or repealed, the revised version of the Policy or a new policy sample will be announced in the relevant places.

EXECUTIVE

All department managers, including the Information Processing Manager, are responsible for the follow-up and coordination of all works and transactions within the scope of the PDP Law and the Data Protection Board regulations of the Board of Directors of Tugba Giyim, which is responsible for the execution of this Policy and is responsible for fulfilling the obligations of the data controller.

  



 

cultureSettings.RegionId: 0 cultureSettings.LanguageCode: EN
Use of Cookies

Please visit our clarification text and our privacy and cookie policy to get information about your personal data, which is started to be processed in accordance with the legislation with your visit to our website.