AHMET KARAMAN KARAMAN TEXTILE INDUSTRY AND FOREIGN TRADE LTD. STI. PERSONAL DATA PROTECTION AND PROCESSING POLICY
DATA PRIVACY COMMITMENT
This Personal Data Protection and Processing Policy “Policy”, AHMET KARAMAN KARAMAN TEKSTİL SANAYİ VE DIŞ TİCARET LTD. STI. In accordance with the Law on the Protection of Personal Data No. 6698 and the attached Regulations and Communiqués and other legislation, “KARAMAN GROUP” determines its obligations and the basic principles of the protection of personal data at the Company in order to ensure that personal data is kept securely and processed in accordance with the law.
KARAMAN. The GROUP undertakes to act in accordance with this Policy and complementary transactions and decisions in terms of all Personal Data held by the company.
PURPOSE OF THE POLICY
The purpose of this policy is to determine the methods and principles to be followed in order to carry out data processing and protection activities of KARAMAN GROUP in accordance with the Law on the Protection of Personal Data published in the Official Gazette dated 7 April 2016 and numbered 29677. In this context, as KARAMAN GROUP, we also provide transparency regarding our activities regarding the processing and protection of personal data belonging to our employees, customers, visitors, shareholders, business partners and subcontractors, employees and officials and third parties.
III. SCOPE OF THE POLICY
The scope of our policy is as follows: to be part of an automated or any data recording system of personal data belonging to our customers, potential customers, employee candidates, employees, company shareholders, company officials, visitors, business partners and subcontractors, employees and officials and third parties pertains to all personal data processed by non-automatic means, provided that
DEFINITIONS, DATA CATEGORIES AND DATA GROUPS
The definitions in this Policy have the following meanings;
PERSONAL DATA PROTECTION LAW (KVKK) The Law on the Protection of Personal Data No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677, IS COMPLEMENTARY TO THE KVKK
OTHER LEGISLATION
Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Light
Communiqué on the Procedures and Principles of Application to the Data Controller, and the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Lighting are secondary legislation items enacted in order to detail some issues in the KVVK.
Data Controller
Refers to the natural or legal person who processes Personal Data by specifying the purposes and ways of processing, and who is responsible for establishing and managing the data recording system.
DATA SPEAKER REPRESENTATIVE
Refers to the employee selected by the Company, who carries out the relations of the Company with the Agency and who is appointed by the decision of the board of directors
PERSONAL DATA
Refers to any information relating to an identified or identifiable natural person
SPECIAL QUALITY PERSONAL DATA
Data that, if learned, may cause discrimination or victimization about the person concerned. For example, race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions, but not limited to…
DATA INVENTORY
Refers to the inventory containing basic information regarding the Company's Personal Data Processing activities.
PERIODIC DISPOSAL
The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals within the scope of the legislation and specified in the personal data storage and destruction policy, in case all the conditions for processing personal data in the Primary and Secondary Legislation are eliminated.
OPEN CONSENT
Informed consent for the processing of Personal Data of individuals, followed by a separate consent based on free decision.
ANONYMOUS
Making Personal Data not be associated with an identified or identifiable natural person.
DELETE OR DELETE
Making Personal Data inaccessible and non-reusable for the relevant users.
DISTRUCTION
It is the process of making personal data inaccessible, irretrievable and unusable by anyone.
VERBIS
Data Controllers Registry Information System
The categories and descriptions of personal data and data groups that are processed partially or completely automatically or non-automatically as part of the data recording system, to which the real person is identified and/or identifiable within the scope of data processing activities carried out by KARAMAN GROUP, are listed below:
Personal Data All kinds of information relating to an identified or identifiable natural person. In order to be able to talk about personal data, the data must be related to a real person and make this person specific or identifiable. In this context, identity information, tax number, SGK number information, signature information; contact information such as phone number, address, e-mail address, fax number, license plate information, IP address, family members and relatives information and camera records, vehicle license plate information, records taken at the security point, voice recordings from phone calls, etc. personal data. data on race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction, and security measures, but not limited to biometric and genetic data etc. is within this scope. Special categories of personal data may be processed in limited cases determined by the legislation. In this context, such personal data are not processed by KARAMAN GROUP, except for the cases permitted under the legislation, or are processed in accordance with the conditions specified in the legislation.
PRINCIPLES OF PERSONAL DATA PROCESSING
1. PROCESSING IN ACCORDANCE WITH LAW AND INTEGRITY
KARAMAN GROUP is to act in accordance with the law and honesty in the processing of personal data. In this context, KARAMAN GROUP does not use personal data outside of its purpose, by adhering to the lawful purposes and legal limits, taking into account the principle of proportionality, acts by determining the legal grounds that will require the processing of personal data, acts in a measured manner and does not use personal data except when required by the purpose. Except for the exceptions set out in the legislation, it is accepted as a basic principle that no action can be taken for data processing and transfer after informed consent and without obtaining explicit consent.
2. ENSURING PERSONAL DATA IS CORRECT AND UPDATED WHEN NEEDED
Our company; ensures that the personal data it processes are accurate and up-to-date when necessary. It takes the necessary measures in this direction. Data that is determined to be inaccurate and out of date is deleted or destroyed in accordance with our Deletion and Destruction Policy.
3. PROCESSING FOR SPECIFIC, EXPRESS AND LEGAL PURPOSES
Our company does not process data without a clear and legitimate purpose or requirement of legislation and acts within the limits of this clear/legitimate purpose.
4. BE RELATED, LIMITED AND MEASURED FOR THE PURPOSE FOR WHICH IT IS PROCESSED
Our company processes personal data within limits and to the extent required by the purpose for which it is processed, and data that is not required by the purpose is strictly not processed.
5. KEEPING IT FOR THE TIME THAT IS PROVIDED IN APPLICABLE LEGISLATION OR REQUIRED FOR THE PURPOSE FOR THE PROCESSING
KARAMAN GROUP preserves personal data only for as long as specified in the relevant legislation or required for the purpose for which they are processed. In this context, our Company first determines whether there is a time limit for the storage of personal data in accordance with the legislation, and stores the data by taking the necessary precautions during this period; If the legislation does not include a period that makes it necessary to be kept, it stores the personal data for the period required for the purpose for which they are processed, and in any case, by observing the erasure/destruction periods in the relevant legislation. Personal data is deleted, destroyed or anonymized by KARAMAN GROUP in case the period expires, the reasons for processing the data disappear or there is a request of the data owner in this direction (in accordance with the legislation).
PROCESSING OF PERSONAL DATA
The principles regarding the processing of Personal Data by KARAMAN GROUP are as follows:
INFORMING AND INFORMING THE PERSONAL DATA OWNER
KARAMAN GROUP basically enlightens the personal data owners on the following issues before obtaining personal data, as determined in the KVKK and other complementary legislation, with the exceptions set forth in the legislation.
Company title, address and contact information; Based on which legal reason it is collected/processed; For what purpose it will be processed, Informing about the domestic and international transfer of the processed personal data, Methods of personal data collection In accordance with the relevant legislation (Article 11 of the KVKK Law), Data Owner Rights and Application Form, information on necessary documents. The data can only be processed in cases stipulated by the law or if the legitimate interests of the company require it and/or if the person gives his/her free will. KARAMAN GROUP is strictly committed to this principle.
In the framework of the Enlightenment Obligation, the necessary information is given to the persons before the Explicit Consent is obtained and
Persons are informed about their rights and application procedure under Article 11 of the KVKK.
Explicit Consent is obtained separately after the informed consent is given and clearly stated in the consent text.
All employees and managers who receive and process personal data are obliged to comply with this Policy, including before data is received.
OTHER CASES EXCEPT EXPRESS CONSENT
Personal data of the data owner can be processed in accordance with the law, if it is expressly stipulated in the law.
Personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his/her consent due to actual impossibility or whose consent cannot be validated, in order to protect the life or physical integrity of himself or another person.
Directly with the conclusion or performance of a contract. Provided that it is directly related, it is possible to process personal data if it is necessary to process the personal data of the parties to the contract.
Personal data of the data owner may be processed if processing is necessary for the performance of our legal obligations as KARAMAN GROUP.
If the data owner has made his personal data public by himself, the relevant personal data may be processed.
If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.
Personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.
VII. PROCESSING OF SPECIAL QUALITY PERSONAL DATA
Private personal data are “sensitive” data that may cause discrimination or victimization about the person concerned if learned: Race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or data related to union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data… Special categories of personal data may be processed with the explicit consent of the person concerned, in cases permitted by the legislation, or in limited cases specified in the Law. In this framework, such personal data will not be processed by KARAMAN GROUP except in cases where it is allowed to be processed in accordance with KVKK, or it is processed by obtaining the explicit consent of the person concerned, in accordance with the conditions specified in the legislation and by taking all necessary physical, electronic and other measures.
Special Quality Personal Data can only be processed if the Explicit Consent of the persons is available in cases permitted by the legislation or if it is expressly required to be processed by law in terms of Sensitive Personal Data other than sexual life and personal health data.
Private personal data of the personal data owner regarding his/her health and sexual life is only for the purposes of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, or persons or authorized persons who are under the obligation of confidentiality. processed by institutions and organizations
In any case that requires the Processing of Special Quality Personal Data, the Data Controller Representative is informed by the relevant employee.
If it is not clear whether a data is a Special Quality Personal Data or not, the opinion of the relevant department is obtained from the Data Controller Representative and, if applicable, from the person/company who is consulted within the scope of the Personal Data legislation.
Regardless of the reasons, the data processing and storage principles included in this text and the data deletion and destruction policy are always taken into account in the processing processes and compliance with these principles is ensured.
TO THE EMPLOYEES INVOLVED IN THE PROCESSING OF SPECIAL QUALITY PERSONAL DATA;
There will be regular trainings on the law and related regulations and special quality personal data security, Employment contracts will be amended, additional confidentiality and personal data protection and storage agreements will be made in addition to existing contracts, Access to data will be limited as necessary on a user basis, KARAMAN GROUP undertakes that necessary studies will be carried out regularly to prevent unauthorized access, that the authorization of employees who have a change in duty or quit their job in this field will be immediately revoked, and that any inventory allocated to them by the data controller will be returned in this context.
VIII. PERSONAL DATA STORAGE PERIOD AND CONDITIONS FOR DELETING, DESTROYING AND ANONYMIZING
KARAMAN GROUP keeps personal data for the period specified in these legislations, if it is stipulated in the relevant laws and regulations. If the legislation regarding how long the personal data should be stored is not regulated for a period of time, the personal data is processed for the period that requires it to be processed in accordance with the practices of KARAMAN GROUP and the customs of commercial life, depending on the services provided by our company while processing that data, and are deleted in accordance with the Data Retention and Deletion Policy prepared later.
KARAMAN GROUP, despite the fact that it has been processed in accordance with the relevant legislation, in the event that the reasons requiring it to be processed disappear and the legislation does not contain a regulation to the contrary, in accordance with KARAMAN GROUP's own decision or upon the request of the personal data owner. deletes, destroys or anonymizes. A policy of erasure-destruction containing detailed information has been prepared in this direction.
TRANSFER OF PERSONAL DATA AND PROCESSING OF PERSONAL DATA BY THIRD PARTIES
KARAMAN GROUP may transfer Personal Data to a third natural or legal person for legitimate and lawful personal data processing purposes, provided that the limits and forms determined in the KVKK and the attached legislation are complied with. In this case, the Company does the necessary work to ensure that the third parties to which it transfers Personal Data also comply with this Policy. In this context, necessary protective regulations are added to the contracts concluded with the third party. Each employee is obliged to comply with the process in this Policy in case of Personal Data transfer. may transfer qualified personal data to third parties in the country. Special quality personal data can only be;
If the personal data owner has explicit consent and the legislation permits, or if the personal data owner does not have explicit consent; The personal data of the personal data owner other than his health and sexual life (race, ethnicity, political thoughts, philosophical beliefs, religion, sect or other beliefs, clothing, membership in associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data), in cases stipulated by law, Private personal data may only be transferred by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
Special quality personal data can be transferred to third parties in the following cases, by taking special protection measures and strictly adhering to the legislation.
X. THE WAY TO PROTECT PERSONAL DATA AND FOLLOW IN CASE OF DISCLOSURE
KARAMAN GROUP takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent illegal access to the data and to ensure the preservation of the data, and performs the necessary audits in this context.
Technical and Administrative Measures Taken to Ensure Legal Processing of Personal Data are as follows:
KARAMAN GROUP takes technical and administrative measures according to the risk level and the technological and physical possibilities of the company in order to ensure that personal data is processed in accordance with the law. KARAMAN GROUP takes the necessary technical and administrative measures to prevent the imprudent or unauthorized disclosure, access, transfer or any other unlawful access to personal data. KARAMAN GROUP, in accordance with Article 12 of the KVKK, carries out the necessary inspections within its own body or has it done. The results of these audits are reported within the scope of the internal functioning of KARAMAN GROUP and necessary activities are carried out to improve the measures taken.
Trainings are provided on Improving the Qualification and Technical Knowledge/Skills of Employees, Preventing the Unlawful Processing of Personal Data, Preventing Unlawful Access to Personal Data, Ensuring the Protection of Personal Data, Communication Techniques and Related Legislations; Employment contracts are revised and Employees are Signed Contracts with Confidentiality Commitments; In case of violation, necessary warnings are made to the personnel, the Obligation to Inform the Related Persons is Fulfilled, In-Company Inspections are Conducted, and Employees are Trained. If the environments where the data is processed, stored and/or accessed are the physical environment, it is ensured that adequate security measures are taken (against electrical leakage, fire, flood, theft, etc.) Unauthorized entries and exits are prevented (for example, with encrypted files on lockers or computers).
Technically: Necessary Measures are Taken for the Physical Security of the Company's Information Systems Equipment, Software and Data, Risks to Prevent Unlawful Processing are Determined, Technical Measures are Taken Appropriate to These Risks, Procedures are Established and Implemented for Distribution of Access, Authority and Role, Authority Matrix is applied Inappropriate Accesses are kept under Control by Recording the Accesses, Destruction Processes are Defined and Implemented in accordance with the Storage and Disposal Policy, A System and Infrastructure is Established to Notify the Relevant Person and the Board in case of Unlawful Processing, Appropriate Security Patches are Installed by Monitoring the Security Vulnerabilities, Information Systems It is kept up-to-date, strong passwords are used in electronic environments where personal data are processed, and secure record keeping (logging) systems are used, and backup programs are used to ensure the safe storage of personal data.
Measures to be Taken in Case of Unauthorized Disclosure of Personal Data
KARAMAN GROUP shall ensure that if the processed personal data is obtained by others unlawfully, this situation shall be notified to the relevant personal data owner and the KVK Board as soon as possible.
Conditions Regarding the Protection of Special Categories of Personal Data:
The technical and administrative measures taken by the KARAMAN GROUP for the protection of personal data are carefully implemented in terms of personal data of special nature. Some of the measures taken in this context are as follows; Employees who are involved in the processing of sensitive personal data are provided with training on the Law and related regulations, as well as special quality personal data security, confidentiality agreements are made, the scope and duration of authorization of users who have access to data are clearly defined, The authority of the leaving employees in this field is immediately removed and the inventory allocated to them by the data controller is returned. Environments where sensitive personal data is processed, stored and/or accessed, and transaction records of all movements performed on the data are securely logged. If the data is accessed through a software, user authorizations for this software are made. It is ensured that adequate security measures (against situations such as electricity leakage, fire, flood, theft, etc.) are taken according to the nature of the environment where sensitive personal data is located, and unauthorized entries and exits are prevented by ensuring the physical security of these environments. A service contract containing the necessary rules within the scope of the protection of Personal Data is signed with the parties from whom service is received for protection, and compliance with the terms of the contract is monitored through audits. If sensitive personal data is to be transferred, it is transferred in encrypted form with a corporate e-mail address or by using a Registered Electronic Mail (KEP) account if the data is to be transferred via e-mail. If the data is required to be transferred via paper media, necessary precautions are taken against the risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in the form of “confidential documents".
For electronic environments where personal data is processed, stored and/or accessed
All computers are protected with passwords given by users. The server is in the cabinet and locked. The procedure for destruction and destruction of data and storage periods are as prescribed by law. It is deleted at the end of at least 15 days. It is ensured that the technical infrastructure to prevent or monitor the leakage of Personal Data outside of our Company and the creation of the relevant technical infrastructures (Firewall firewall program and Anti-virus programs are actively installed on all computers in our Company). Addresses are defined and separate AP is defined for guest users and separated from the network. Transaction records of all movements performed on the data are securely logged and LOG records are kept. the necessary security tests are regularly performed/have done, and the test results are recorded.
Necessary measures in this direction will be taken by KARAMAN GROUP.
In physical environments where sensitive personal data is processed, stored and/or accessed;
Adequate security measures (electrical leakage, electricity leakage, against situations such as fire, flood, theft, etc.), preventing unauthorized entry and exit by ensuring the physical security of these environments, is under the guarantee of KARAMAN GROUP.
If personal data of special nature is to be transferred physically or electronically
If the data is to be transferred via e-mail, it must be transferred in encrypted form with a corporate e-mail address or by using a Registered Electronic Mail (KEP) account, If transferring between servers in different physical environments, data transfer should be performed by establishing a VPN between servers or by sFTP method, If data is transferred via paper media It is under the guarantee of KARAMAN GROUP that the necessary measures are taken against the risks such as theft, loss or viewing of the documents by unauthorized persons and that the documents are sent in the format of “confidential documents".
XI- RIGHT OF APPLICATION OF DATA OWNERS
Personal data owners defined as KVKK data subjects (hereinafter referred to as the “Applicant") have been granted the right to make certain requests regarding the processing of their personal data in Article 11 of the KVK Law (in short, the “right of application").
Personal data owners within the scope of Article 11 of the KVKK;
Learning whether personal data is processed, Requesting information if personal data has been processed, Learning the purpose of processing personal data and whether they are used in accordance with its purpose, Knowing the third parties to whom personal data is transferred, in case of incomplete or incorrect processing of personal data to request their correction and to notify the third parties to whom the personal data has been transferred,
• Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist, although it has been processed in accordance with the provisions of the KVKK and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred, Analyzing the processed data exclusively through automated systems has the right to object to the emergence of a result against the person himself, to demand the compensation of the damage in case of damage due to the unlawful processing of personal data.
In this context, the applications to be made to KARAMAN GROUP, by printing out the data owner application form (available on our website);
By the Applicant's personal application,
Via notary,
Signed by the Applicant with the “secure electronic signature” defined in the Electronic Signature Law No. 5070 and sent to the registered e-mail address of the Company. .
An application must be submitted to the Data Controller together with the information and documents specified in Article 5 of the Communiqué on Application Procedures and Principles. For information CLICK ON KVKK APPLICATION.