Approved by the Directors Board.
Effective Date: 28/02/2023
1. ABBREVIATONS AND CONCEPTS
2. ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
3. ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA
4. CATEGORIZATION, PROCESSING PURPOSES AND STORAGE PERIODS OF PERSONAL DATA PROCESSED BY THE DATA CONTROLLER
5. CATEGORIZATION OF THE OWNERS OF THE PERSONAL DATA PROCESSED BY THE DATA CONTROLLER
6. THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED BY THE DATA CONTROLLER AND THE PURPOSES OF TRANSFER
7. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW
8. CONDITIONS FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
9. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY FOR THE EXERCISE AND EVALUATION OF THESE RIGHTS
10. THE RELATIONSHIP OF THE DATA CONTROLLER'S POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA WITH OTHER POLICIES
| KVKK/Law |
Personal Data Protection Law No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677 |
| GDPR | EU (European Union) General Data Protection Regulation |
| Constitution | The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709, published in the Official Gazette dated 9 November 1982 and numbered 17863 |
| Data Processor | Except for the person or unit responsible for technical storage, protection and backup of the data, the person who processes personal data outside the organization of the data controller and in line with the authorization and instruction received from the data controller. |
| Data Owner/Data Subject | Natural persons whose personal data are processed, such as operational transactionss, customers, business partners, shareholders, officials, potential customers, candidate operational transactionss, interns, visitors, suppliers, operational transactionss of the institutions with which the Company is affiliated, and third parties and other persons, including but not limited to those listed herein. |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. For the purposes of this Policy, Ames Europe Tekstil Sanayi ve Ticaret Anonim Şirketi will hereinafter be referred to as the Data Controller. |
| Open Consent | Consent on a specific issue, based on information and freely given. |
| Disposal | Deletion, disposal or anonymization of personal data. |
| Storage/Recording Environment | Any environment in which personal data processed by fully or partially automated or non-automated means, provided that it is part of any data recording system. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Sensitive Personal Data | Personal data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
| Processing of Personal Data | Any operation performed on personal data such as obtaining, recording, storing, retaining, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. |
| Anonymization of Personal Data | Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data. |
| Deletion of Personal Data | The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way. |
| Disposal of Personal Data | The process of making personal data inaccessible, irretrievable and non-reusable by anyone in any way. |
| Periodic Disposal | Deletion, destruction or anonymization to be carried out ex officio at recurring intervals in the event that all of the conditions for processing personal data specified in the Law are eliminated. |
| Regulation | Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017 and numbered 30224 and entered into force as of January 1, 2018. |
| PDP Board / Board | Personal Data Protection Board |
| PDP Authority | Personal Data Protection Authority |
| Policy | Data Controller Personal Data Protection and Processing Policy |
| Turkish Penal Code | Turkish Penal Code dated September 26, 2004 and numbered 5237; published in the Official Gazette dated October 12, 2004 and numbered 25611. |
| Obligation to Inform | The data controller shall inform the relevant persons about the identity of the Data Controller, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the data subject listed in Article 11 of the KVKK. |
| Data Controllers Registry Information System (VERBIS) | It is a data registry system created by the Board Presidency under the supervision of the Board, where data controllers register and declare information about their data processing activities. |
As the Data Controller, we are aware of our responsibility for the protection of personal data, which is regulated as a constitutional right, and taking it under legal guarantee, and we give importance to the safe use of your personal data.
The purpose of this policy is to regulate the methods and principles to be followed by Ames Europe Tekstil Sanayi ve Ticaret Anonim Şirketi to ensure that it processes and protects personal data in accordance with the Law on the Protection of Personal Data (KVKK) published in the Official Gazette dated April 7, 2016 and numbered 29677.
In this way, it is aimed to ensure full compliance with the legislation in the processing and protection of personal data carried out by the Data Controller and to protect all rights of personal data owners arising from the legislation on personal data.
This policy applies to the activities carried out by Ames Europe Tekstil Sanayi ve Ticaret Anonim Şirketi for the processing and protection of all personal data.
This policy covers natural persons whose personal data are processed by the Data Controller through automatic or non-automatic means, provided that they are part of any data recording system. This Policy does not apply to legal entities and legal entity data in any way.
| Groups of Persons Whose Data are Processed under the Policy |
| Operational transactions |
| Supplier Operational transactions |
| Potential Product or Service Purchaser |
| Supplier Representative |
| Product or Service Purchaser |
| Shareholder/Partner |
| Parent / Guardian / Representative |
| Operational transactions Candidate |
| Visitor |
| Intern |
| Public Official |
| Operational transactions Relative |
| Workplace Doctor |
| Doctor |
| Occupational Health and Safety Specialist |
| Party to Lawsuit, Enforcement Case |
| Website Visitors |
The entire scope of application of this Policy will cover all of the personal data owners in the above-mentioned categories of the relevant group of persons; some of its provisions may only be directed to certain groups of relevant persons.
This policy is implemented by the Data Controller in the activities carried out for the processing and protection of all personal data, together with the relevant detailed data procedures.
Within the scope of this Policy, the relevant legal regulations and data security principles in force in the national legislation on the processing and protection of personal data will primarily apply. In case of incompatibility between the legislation in force and the Policy, the Data Controller agrees that the legislation in force will be applied.
In accordance with Article 12 of the KVKK, the Data Controller takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of the personal data it processes, to prevent unlawful access to the data and to ensure the preservation of the data, and to carry out or have the necessary audits carried out within this scope.
Subject to the confidentiality of personal data, the Data Controller takes technical and administrative measures in accordance with the technological possibilities and the cost of implementation in order to ensure the appropriate level of security in order to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent its loss and destruction, to ensure its storage and preservation in secure environments.
The main technical measures taken by the Data Controller, subject to personal data confidentiality, to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent loss and destruction, to ensure the appropriate level of security in order to ensure storage and preservation in secure environments are listed below:
| Technical Measures |
| Network security and application security are ensured |
| A closed system network is used for personal data transfers through the network |
| Key management is in place |
| Security measures are taken within the scope of procurement, development, and maintenance of information technology systems |
| Security of personal data stored in the cloud is ensured |
| Access logs are kept regularly |
| Corporate policies on access, information security, use, storage, and disposal have been prepared and implemented |
| Data masking measures are applied when necessary |
| Up-to-date anti-virus systems are used |
| Firewalls are used |
| Personal data is backed up and the security of the backed-up personal data is also ensured |
| User account management and authorization control system is implemented and monitored |
| Log records are kept without user intervention |
| Intrusion detection and prevention systems are used |
| Cyber security measures have been taken and their implementation is constantly monitored |
| Encryption is performed |
| Sensitive personal data transferred in portable memory, CD, DVD media are transferred by encrypting the data |
| Data loss prevention software is used |
The main administrative measures taken by the Data Controller, subject to personal data confidentiality, to ensure that personal data is processed in accordance with the law, to prevent unlawful access to this data, to prevent loss and destruction, to ensure the appropriate level of security in order to ensure that it is stored and stored in secure environments are listed below:
| Administrative Measures |
| Disciplinary arrangements are in place for operational transactionss that include data security provisions |
| Training and awareness activities on data security for operational transactionss are carried out at regular intervals |
| An authorization matrix has been created for operational transactionss |
| Confidentiality commitments are made |
| Operational transactionss who change their position or leave their job are de-authorized in this area |
| The signed contracts contain data security provisions |
| Extra security measures are taken for personal data transferred via paper and the relevant document is sent in a confidential document format |
| Personal data security policies and procedures have been determined |
| Personal data security issues are quickly reported |
| Personal data security is monitored |
| Necessary security measures are taken for entering and exiting physical environments containing personal data |
| Physical environments containing personal data are secured against external risks (fire, flood, etc.) |
| Security of environments containing personal data is ensured |
| Personal data is minimized as much as possible |
| Internal periodic and/or random audits are conducted and commissioned |
| Existing risks and threats have been identified |
| Protocols and procedures for the security of sensitive personal data have been determined and implemented |
| Awareness of data processing service providers on data security is ensured |
In accordance with Article 12 of the KVK Law, the Data Controller conducts or has the necessary audits carried out within its own organization. The results of the measure audit carried out within the scope of the audit activities required to fulfill the obligations of the legal regulations that constitute the personal data protection planning are reported to the relevant department within the scope of the internal functioning of the Data Controller and necessary activities are carried out to improve the measures taken.
The Data Controller has the obligation to protect the personal data it processes against unauthorized access, illegal processing, disclosure, loss and alteration. In the event that the personal data processed in accordance with Article 12 of the KVKK is obtained and used by unauthorized others through unlawful means, it carries out the system that ensures that this situation is notified to the relevant personal data owner and the PDP Board as soon as possible.
The Data Controller carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.
If personal data owners submit their requests regarding their rights listed below in writing to us, the Data Controller, will finalize the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the rate schedule determined by the PDP Board will be charged to the applicant data owner.
Personal data owners;
KVKK shows great importance to certain sensitive personal data due to the risk of causing victimization or discrimination in case of unlawful processing.
These data include data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
The Data Controller acts sensitively in the protection of special categories of personal data, which are determined as "special categories" by the KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by the Data Controller for the protection of personal data are carefully implemented in terms of special categories of personal data and necessary audits are provided within the Data Controller and a Policy on Processing and Protection of Special Categories of Personal Data is also established.
The Data Controller ensures that the necessary trainings are organized for the business units in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data.
Necessary systems are established to ensure that the existing operational transactionss of the business units of the Data Controller and the operational transactionss who are newly included in the business unit are aware of the protection of personal data, and if necessary, professional persons are hired.
The results of the trainings conducted to increase the awareness of the business units of the Data Controller on the protection and processing of personal data are reported to the Data Controller. In this direction, the Data Controller evaluates the participation in the relevant trainings, seminars and information sessions and conducts or has the necessary audits carried out. As the Data Controller, the trainings carried out by us are updated and renewed in parallel with the updating of the relevant legislation.
The Data Controller, in accordance with Article 20 of the Constitution and Article 4 of the KVKK, in the processing of personal data; in accordance with the law and good faith; accurate and up to date when necessary; pursuing specific, clear and legitimate purposes; personal data processing activities in a purpose-related, limited and measured manner.
The Data Controller retains personal data for the period stipulated by law or required by the purpose of personal data processing.
Pursuant to Article 20 of the Constitution and Article 5 of the KVKK, the Data Controller processes personal data based on one or more of the conditions in Article 5 of the KVKK regarding the processing of personal data.
In accordance with Article 20 of the Constitution and Article 10 of the KVKK, the Data Controller informs the personal data subjects and provides the necessary information in case the personal data subjects request information.
In accordance with Article 6 of the KVKK, the Data Controller acts in accordance with the regulations stipulated for the processing of special categories of personal data.
In accordance with Articles 8 and 9 of the KVKK, the Data Controller acts in accordance with the regulations stipulated in the law and set forth by the PDP Board regarding the transfer of personal data.
The Data Controller acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, the Data Controller takes into account the proportionality requirements in the processing of personal data and does not use personal data for purposes other than its purpose.
Data Controller; It ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. It takes necessary measures in this direction.
The Data Controller clearly and precisely determines the legitimate and lawful purpose of personal data processing. The Data Controller processes personal data in connection with and to the extent necessary for the services it provides. The purpose for which personal data will be processed by the Data Controller is determined before the personal data processing activity begins.
The Data Controller processes personal data in a manner that is conducive to the realization of the specified purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed.
The Data Controller retains personal data only for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this context, the Data Controller first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period of time is determined, it acts in accordance with this period, and if a period of time is not determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, disposed of or anonymized by the Data Controller at the end of the period or in the event that the reasons requiring their processing disappear. Personal data are not stored by the Data Controller with the possibility of future use.
Protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted without prejudice to their essence only for the reasons specified in the relevant articles of the Constitution and only by law. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the person. In this direction and in accordance with the Constitution; the Data Controller processes personal data only in cases stipulated by law or with the explicit consent of the person.
In accordance with Article 10 of the Data Controller and KVKK, we inform personal data owners during the acquisition of personal data. In this context, we inform about the identity of the Data Controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and the rights of the personal data owner.
Article 20 of the Constitution stipulates that everyone has the right to be informed about personal data concerning him/her. In this direction, "requesting information" is also listed among the rights of the personal data owner in Article 11 of the KVKK. In this context, the Data Controller provides the necessary information in case the personal data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the KVKK.
While fulfilling the disclosure obligation, the Data Controller acts in accordance with the Law No. 6698, the Communiqué on the Procedures and Principles to be followed in the Fulfillment of the Disclosure Obligation, the Board decisions published on the website of the Authority and the Guide to the Fulfillment of the Disclosure Obligation prepared by the Authority.
In the processing of personal data determined as "special quality" by the KVKK, the Data Controller acts in strict compliance with the regulations stipulated in the KVKK.
In Article 6 of the KVKK, some personal data that have the risk of causing victimization or discrimination when processed unlawfully are determined as "special categories". These data are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
In accordance with the KVKK, special categories of personal data are processed by the Data Controller in the following cases, provided that adequate measures to be determined by the PDP Board are taken:
or
Sensitive personal data other than the health and sexual life of the personal data owner, in cases stipulated by law,
Sensitive personal data relating to the health and sexual life of the personal data owner are processed only by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
A separate policy for the processing of special categories of personal data is established by the Data Controller.
The Data Controller may transfer the personal data and sensitive personal data of the personal data owner to third parties by taking the necessary security measures in line with the lawful personal data processing purposes. In this direction, the Data Controller acts in accordance with the regulations stipulated in Article 8 of the KVKK.
In line with legitimate and lawful personal data processing purposes, the Data Controller may transfer personal data to third parties based on and limited to one or more of the personal data processing conditions specified in Article 5 of the Law listed below:
The Data Controller may transfer the personal data of the personal data owner to third parties in the following cases in line with the legitimate and lawful personal data processing purposes by taking the necessary care, taking the necessary security measures and adequate measures stipulated by the PDP Board.
or
Sensitive personal data (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and apparel, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data) other than the health and sexual life of the personal data owner, in cases stipulated by law,
Sensitive personal data relating to the health and sexual life of the personal data owner are transferred only to persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
The Data Controller may transfer the personal data and sensitive personal data of the personal data owner to third parties abroad by taking the necessary security measures in line with the lawful personal data processing purposes. As a result of the widespread use of company applications that provide information services today, communication through instant messaging or online communication channels is established through platforms and applications of foreign origin. Therefore, it is possible to transfer data abroad through these platforms.
Personal data are transferred by the Data Controller to foreign countries declared to have adequate protection by the PDP Board or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the PDP Board has permission ("Foreign Country Where the Data Controller Undertakes Adequate Protection"). In this direction, the Data Controller acts in accordance with the regulations stipulated in Article 9 of the KVKK.
In line with the legitimate and lawful personal data processing purposes, the Data Controller may transfer personal data to Foreign Countries with Adequate Protection or to Foreign Countries where there is a Data Controller Committed to Adequate Protection in the presence of one of the following cases if the personal data owner has explicit consent or if the personal data owner does not have explicit consent:
or
Sensitive personal data other than the health and sexual life of the personal data owner (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, and biometric and genetic data), in cases stipulated by law,
Sensitive personal data relating to the health and sexual life of the personal data owner can only be transferred within the scope of processing by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
In accordance with Article 10 of the KVKK, the Data Controller informs the personal data owner of which personal data owner groups' personal data are processed, the purposes of processing the personal data of the personal data owner and the retention periods within the scope of the disclosure obligation.
The following categories of personal data are processed by the Data Controller by informing the relevant persons in accordance with Article 10 of the KVKK, in line with the legitimate and lawful personal data processing purposes of the Data Controller, based on one or more of the personal data processing conditions specified in Article 5 of the KVKK and limited to the subjects within the scope of this Policy by complying with the general principles specified in the KVKK, especially the principles specified in Article 4 regarding the processing of personal data, and all obligations regulated in the KVKK.
| Category of Personal Data | Description |
| Identity Data | Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; containing information about the identity of the person; (documents such as driver's license, identity card and passport containing information such as name-surname, Turkish ID number, nationality information, mother's name-father's name, place of birth, date of birth, gender, and information such as tax number, Social Security number, signature information, vehicle license plate, etc.) |
| Contact Data | Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; (information such as telephone number, address, e-mail address, fax number, IP address) |
| Financial Data | Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; (Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Data Controller with the personal data owner and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information) |
| Professional Experience Data | Data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; data containing information about the identity of the person; (Data processed according to the type of legal relationship established by the Data Controller with the Personal Data Owner; data such as diploma information, courses attended, vocational training information, certificates, candidate application forms, reference interview information, job interview information, transcript information). |
| Criminal Conviction and Security Measures Data | Data belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, (data such as the criminal record of the Personal Data Owner obtained within the framework of the operations carried out by the business units of the Data Controller or in order to carry out the business processes of natural persons in a working relationship with the Data Controller or to protect the legal and other interests of the Data Controller and the Personal Data Owner) |
| Location Data | Information that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system (information that determines the location of the personal data owner within the framework of the operations carried out by the business units, during the use of products and services or while using the vehicles of the operational transactionss, GPS location, travel data, etc.). |
| Audio/Visual Data | Data that clearly belongs to an identified or identifiable natural person (photographs and camera recordings (except for recordings within the scope of Physical Space Security Information), voice recordings and data contained in documents that are copies of documents containing personal data) |
| Personnel Information | All kinds of personal data that clearly belong to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed to obtain information that will be the basis for the formation of the operational transactions's rights of natural persons who are in a working relationship with the Data Controller |
| Health Data | Personal data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system (health data such as health report, disability tax exemption certificates, insurance certificates, military service status certificates of the Personal Data Owner and / or family members obtained within the framework of the operations carried out by the business units of the Data Controller, in relation to the products and services offered or in order to carry out the business processes of natural persons in a working relationship with the Data Controller or to protect the legal and other interests of the Data Controller and the Personal Data Owner) |
| Legal Process Data | Data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed within the scope of the Data Controller's legal processes, determination of receivables and rights, follow-up and fulfillment of debts and legal obligations, information in correspondence with judicial authorities, incoming and outgoing documents, information such as case files. |
| Venue Security Data | Personal data relating to records and documents taken at the entrance to the physical space, during the stay in the physical space, camera recordings, records taken at the security point, etc., which are clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system. |
| Risk Management Data | Data that clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed for the management of all kinds of commercial, technical, administrative risks created according to the type of legal relationship established by the Data Controller with the Personal Data Owner. |
| Customer Transaction Data | Information such as call center records, invoice, promissory note check information, order information, request information, request information, offer, service number obtained and produced about the relevant person as a result of the commercial activities of the Data Controller and the operations carried out by the business units, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system. |
| Marketing Data | Data obtained through shopping history information, surveys, cookie records, campaigns, which are clearly belonging to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, obtained and produced about the relevant person as a result of the commercial activities of the Data Controller and the operations carried out by the business units. |
| Process Security Information | Personal data such as IP Address information, Website login and exit information, password and password information, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system, processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Data Controller while carrying out the activities of the Data Controller. |
| Vehicle Information | Data such as Vehicle License Plate, Vehicle License Plate, Embezzled Vehicle Information, Vehicle License Plate, Vehicle License Plate, Vehicle License Plate, which clearly belongs to an identified or identifiable natural person, processed partially or completely automatically or non-automatically as part of the data recording system. |
| Family Member and Relative Data | Information on family members who clearly belong to an identified or identifiable natural person, processed partially or fully automatically or non-automatically as part of the data recording system |
The Data Controller processes personal data limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the KVKK. These purposes and conditions are listed below:
In this context, the Data Controller processes your personal data for the following purposes:
| Purposes of Processing |
| Execution / Supervision of Business Activities |
| Execution of Goods / Services Production and Operation Processes |
| Execution of Management Activities |
| Ensuring the Security of Movable Property and Resources |
| Execution of Marketing Processes of Products / Services |
| Execution of Finance and Accounting Affairs |
| Execution of Logistics Activities |
| Execution of Activities in Compliance with the Legislation |
| Execution of Occupational Health / Safety Activities |
| Execution of Risk Management Processes |
| Ensuring the Security of Data Controller Operations |
| Execution of Business Continuity Ensuring Activities |
| Receiving and Evaluating Suggestions for Improvement of Business Processes |
| Execution of Goods / Service Procurement Processes |
| Execution of Supply Chain Management Processes |
| Execution of Goods / Service Sales Processes |
| Fulfillment of Obligations Arising from Employment Contract and Legislation for Operational transactionss |
| Monitoring and Execution of Legal Affairs |
| Execution of Contract Processes |
| Execution of Customer Relationship Management Processes |
| Execution of Activities for Customer Satisfaction |
| Providing Information to Authorized Persons, Institutions and Organizations |
| Organization and Event Management |
| Execution of Goods / Services After Sales Support Services |
| Execution of Communication Activities |
| Tracking Requests / Complaints |
| Execution of Information Security Processes |
| Planning Human Resources Processes |
| Execution of Operational transactions Satisfaction and Loyalty Processes |
| Execution of Fringe Benefits and Benefits Processes for Operational transactionss |
| Conducting Audit / Ethics Activities |
| Conducting Internal Audit / Investigation / Intelligence Activities |
| Execution of Emergency Management Processes |
| Execution of Access Authorizations |
| Ensuring Physical Space Security |
| Conducting Training Activities |
| Execution of Operational transactions Candidate Application Processes |
| Execution of Operational transactions Candidate / Intern / Student Selection and Placement Processes |
| Execution of Assignment Processes |
| Execution of Human Resources Processes |
| Execution of Personnel Attendance Control System |
| Execution of Performance Evaluation Processes |
| Execution of Termination Procedures |
| Execution of Wage Policy |
| Execution of Company / Product / Service Loyalty Processes |
| Conducting Marketing Analysis Studies |
| Execution of Strategic Planning Activities |
| Creating and Tracking Visitor Records |
| Execution of Social Responsibility and Civil Society Activities |
If the processing activity carried out for the aforementioned purposes does not meet any of the conditions stipulated under the KVKK, your explicit consent is obtained by the Data Controller regarding the relevant processing process.
If stipulated in the relevant laws and regulations, the Data Controller retains personal data for the period specified in these regulations. The retention periods determined by the Data Controller are stated below:
| Categories of Personal Data | Retention Period |
| Identity |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing 5 years from the end of the processing purpose |
| Contact |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Audio and Visual Recordings |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Finance |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Location |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Customer Transaction |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Professional Experience |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Risk Management |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Process Security |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Legal Action |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship 10 Years from the end of the activity 10 Years from the End of the Purpose of Data Processing |
| Personnel |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship |
| Criminal Conviction and Security Measures | 15 years from the termination of the employment contract |
| Health Information | 15 years from the termination of the employment contract |
| Working Family Member and Relative Information |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship |
| Physical Space Security | 15 years from the termination of the employment contract 25 Days |
| Marketing | 10 Years from the End of the Purpose of Data Processing |
| Vehicle Information |
15 years from the termination of the employment contract 10 years from the termination of the legal relationship |
If a period of time is not regulated in the legislation regarding how long personal data should be stored, Personal Data is processed for the period required to be processed in accordance with the practices and customs of the commercial life of the Data Controller, depending on the activity carried out by the Data Controller while processing that data, and then deleted, destroyed or anonymized. You can find detailed information on this subject in the Policy on Deletion, Destruction or Anonymization of Personal Data of the Data Controller.
If the purpose of processing personal data has ended and the retention periods determined by the relevant legislation and the Data Controller have come to an end; personal data can only be stored for the purpose of constituting evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In the establishment of the periods here, the retention periods are determined based on the statute of limitations for the assertion of the aforementioned right and the examples in the requests previously addressed to the Data Controller on the same issues despite the expiration of the statute of limitations. In this case, the stored personal data is not accessed for any other purpose and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. After the aforementioned period expires, personal data are deleted, destroyed or anonymized.
All units and operational transactionss of the Data Controller actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law by properly implementing the technical and administrative measures taken by the responsible units within the scope of the Policy, training and raising awareness of the unit operational transactionss, monitoring and continuous supervision.
Personal data belonging to data subjects are securely stored by the Data Controller in the environments listed in the table below in accordance with the relevant legislation, especially the provisions of the KVKK:
| Storage Environments |
| Computer |
| Locked Archive Cabinet |
| Business Server |
| Archive Cabinet |
| Unit Archive |
| Double Locker in Controlled Zone |
| Software - Domestic |
| Domestic Email Server |
| Access Restricted File |
| Abroad Email Server |
The table below details the categories of personal data subjects mentioned above and the types of personal data processed by the persons within these categories.
| Personal Data Owner Category and Description | Categories of Processed Personal Data of the Data Subject |
|
Operational transactions (Real persons who have an employment contract with the Data Controller) |
Identity Contact Audio and Visual Recordings Location Professional Experience Finance Risk Management Process Security Legal Action Personnel Criminal Conviction and Security Measures Health Information Working Family Member and Relative Information Physical Space Security Marketing Vehicle Information |
|
Product or Service Purchaser (Natural persons whose personal data are obtained through the business relations of the Data Controller within the scope of the operations carried out by the business units of the Data Controller, regardless of whether they have any contractual relationship with the Data Controller) |
Identity Contact Customer Transaction Legal Action Finance Risk Management Marketing Physical Space Security Professional Experience |
|
Supplier Operational transactions (Real persons authorized to represent the Data Controller who are bound to the Data Controller by a supply contract) |
Identity Contact Finance Location Process Security Marketing Physical Space Security Personnel Professional Experience Health Information Vehicle Information |
|
Shareholder/Partner (Real persons who are shareholders of the Data Controller) |
Identity Contact Finance Risk Management Legal Action Professional Experience Location Process Security Physical Space Security Audio and Visual Recordings |
|
Operational transactions Candidate (Natural persons who have applied for a job to the Data Controller by any means or who have opened their CV and related information to the examination of the Data Controller) |
Identity Contact Personnel Professional Experience Audio and Visual Recordings Health Information Criminal Conviction and Security Measures Physical Space Security |
|
Parent / Guardian / Representative (Person(s) authorized to act on behalf of the natural or legal person who has a legal relationship with the Data Controller) |
Identity Finance Contact Legal Action Risk Management Professional Experience |
|
Visitor (Real persons who have entered the physical premises owned by the Data Controller for various purposes or who visit our websites) |
Identity Health Information Contact Process Security Physical Space Security Marketing Vehicle Information |
|
Supplier Representative (Natural persons who are bound to the Data Controller by a supply contract and have an employment contract with the Data Controller) |
Identity Contact Finance Legal Action Risk Management Customer Transaction Physical Space Security Professional Experience |
|
Potential Product or Service Buyer (Natural persons whose personal data are obtained through the business relations of the Data Controller within the scope of the operations carried out by the business units of the Data Controller as a basis for the future legal relationship with the Data Controller) |
Identity Contact Customer Transaction Location Process Security Marketing Physical Space Security |
|
Operational transactions Candidate (Natural persons who have applied for a job to the Data Controller by any means or who have opened their CV and related information to the examination of the Data Controller) |
Identity Communication Personel Professional Experience Criminal Conviction and Security Measures Legal Process Visual/Audio Records Health Venue Security |
|
Intern (Real persons who are in an internship relationship with the Data Controller) |
Identity Contact Personnel Professional Experience Health Information Finance |
|
Public Official (Other groups of people) |
Identity Communication |
|
Occupational Health and Safety Specialist (Other groups of people) |
Identity Communication Professional Experience |
|
Doctor (Other groups of people) |
Identity Professional Experience |
|
Workplace Doctor (Other groups of people) |
Identity Professional Experience |
|
Website Visitors (Other groups of people) |
Process Security Marketing Identity |
|
Party to Lawsuit, Enforcement Case (Other groups of people) |
Identity Communication |
In accordance with Article 10 of the KVKK, the Data Controller informs the personal data owner about the groups of persons to whom personal data are transferred.
The Data Controller may transfer the personal data of the data owners managed by the Policy in accordance with Articles 8 and 9 of the KVKK to domestic and foreign recipient groups within the scope of the transfer reasons based on the data category listed below:
| Category of Data | Reason of Transfer | Recipient | ||
| Domestic | Abroad | Domestic | Abroad | |
| Identity |
Operational transactions Legal Obligation Information Court Order Administration Request Monitoring the Legal Affairs and Transactions of the Data Controller Contract Transmission to Data Processors Commercial Purpose |
Operational Transactions Information Informing Subsidiaries Contract Legal Obligation Commercial Purpose |
Suppliers Authorized Public Institutions and Organizations Natural Persons or Private Law Legal Entities Shareholders Associates and Subsidiaries |
Suppliers Natural Persons or Private Law Legal Entities Business Partners Associates and Subsidiaries Authorized Public Institutions and Organizations |
| Contact |
Legal Obligation Operational transactions Information Court Order Administration Request Monitoring the Legal Affairs and Transactions of the Data Controller Contract Commercial Purpose |
Operational Transactions Information Informing Subsidiaries Contract Legal Obligation Commercial Purpose |
Suppliers Authorized Public Institutions and Organizations Natural Persons or Private Law Legal Entities Shareholders Associates and Subsidiaries |
Suppliers Natural Persons or Private Law Legal Entities Business Partners Associates and Subsidiaries Authorized Public Institutions and Organizations |
| Audio and Visual Recordings |
Operational transactions Legal Obligation Court Order Administration Request Monitoring the Legal Affairs and Transactions of the Data Controller Transmission to Data Processors Information |
Suppliers Authorized Public Institutions and Organizations Natural Persons or Private Law Legal Entities |
||
| Finance |
Operational transactions Legal Obligation Information Administration Request Monitoring the Legal Affairs and Transactions of the Data Controller Contract |
Information Operational transactions Informing subsidiaries |
Authorized Public Institutions and Organizations Suppliers Natural Persons or Private Law Legal Entities Business Partners Associates and Subsidiaries |
Suppliers Business Partners Associates and Subsidiaries Private Law Legal Entities Authorized Public Institutions and Organizations |
| Location |
Operational transactions Legal Obligation |
Authorized Public Institutions and Organizations Suppliers |
||
| Customer Transaction |
Operational transactions Legal Obligation Information |
Operational transactions Information Informing subsidiaries |
Suppliers Authorized Public Institutions and Organizations Natural Persons or Private Law Legal Entities |
Suppliers Natural Persons or Private Law Legal Entities Associates and Subsidiaries |
| Professional Experience |
Legal Obligation Operational transactions Court Order Administration Request Monitoring the Legal Affairs and Transactions of the Data Controller Information Contract Commercial Purpose |
Information Operational transactions Contract Commercial Purpose Informing subsidiaries |
Authorized Public Institutions and Organizations Suppliers Natural Persons or Private Law Legal Entities Associates and Subsidiaries |
Natural Persons or Private Law Legal Entities Business Partners Associates and Subsidiaries |
| Risk Management |
Legal Obligation Information Operational transactions Commercial Purpose |
Operational Transactions Information Informing subsidiaries |
Authorized Public Institutions and Organizations Natural Persons or Private Law Legal Entities Suppliers |
Suppliers Natural Persons or Private Law Legal Entities Associates and Subsidiaries |
| Process Security |
Legal Obligation Information Operational transactions |
Operational Transactions |
Authorized Public Institutions and Organizations Supplier |
|
| Legal Action |
Legal Obligation Information Operational transactions |
Operational Transactions |
Authorized Public Institutions and Organizations Supplier |
Suppliers |
| Personnel |
Court Order Legal Obligation Administration Request Monitoring the Legal Affairs and Transactions of the Data Controller Operational transactions Information Contract Commercial Purpose |
Operational Transactions |
Authorized Public Institutions and Organizations Supplier |
Suppliers |
| Criminal Conviction and Security Measures |
Court Order Legal Obligation Administration Request Operational transactions Monitoring the Legal Affairs and Transactions of the Data Controller |
Operational Transactions |
Authorized Public Institutions and Organizations Supplier |
Suppliers |
| Health Information |
Legal Obligation Operational transactions Administration Request Monitoring the Legal Affairs and Transactions of the Data Controller Court Order |
Suppliers Business Partners Associates and Subsidiaries Private Law Legal Entities Authorized Public Institutions and Organizations |
||
|
Operational transactions Family Member and Relative Information |
Legal Obligation Operational transactions Administration Request Monitoring the Legal Affairs and Transactions of the Data Controller |
Suppliers Business Partners Associates and Subsidiaries Private Law Legal Entities Authorized Public Institutions and Organizations |
||
| Physical Space Security |
Legal Obligation Operational transactions |
Authorized Public Institutions and Organizations | ||
| Marketing | Legal Obligation | Authorized Public Institutions and Organizations | ||
| Vehicle Information |
Legal Obligation Information |
Informing subsidiaries | Authorized Public Institutions and Organizations | Informing subsidiaries |
The definition and scope of the recipient groups to which the above-mentioned transfers are made are set out in the table below.
| Persons to whom data can be transferred | Definition of Persons to Whom Data Can Be Transferred |
| Authorized Public Institutions and Organizations |
Public institutions and organizations authorized to receive information and documents from the Data Controller in accordance with the provisions of the relevant legislation. (All ministries, judicial, administrative institutions and organizations under the Presidency, especially the Ministry of Justice, the Constitutional Court, the Court of Cassation, the Council of State, the Regional Courts of Appeal, Local Courts and other courts of the Republic of Turkey, all departments and levels of the Turkish Grand National Assembly, other administrative and financial accident institutions, Governorships, District Governorships, Security Directorates, Consulates of the relevant country, Population and Citizenship Courts, all departments and degrees of the departments and institutions of the Turkish Grand National Assembly, other administrative and financial accident institutions, Governorships, District Governorships, Security Directorates, Consulates of the relevant country, Population and Citizenship Affairs Directorates, Tax Offices, all central and provincial organizations and units of the Ministry of Finance, Customs Directorates and Chief Directorates, SSI, General Directorate of Free Zones of the Undersecretariat of Foreign Trade, Free Zones, All Public Banks and all other authorized public institutions and organizations) |
| Suppliers | Defines the parties that provide services to the Data Controller on a contractual basis in accordance with the orders and instructions of the Data Controller while carrying out the commercial activities of the Data Controller |
| Shareholders | Real persons who are shareholders of the Data Controller |
| Associates and Subsidiaries | Real or private legal entities in which the Data Controller is a subsidiary or shareholder |
| Business Partners | Real or private legal entities with whom the Data Controller carries out its commercial activities |
| Real Persons or Private Law Legal Entities | Private law persons or real persons authorized to receive information and documents from the Data Controller in accordance with the provisions of the relevant legislation |
7. PROCESSING OF PERSONAL DATA BASED ON AND LIMITED TO THE PROCESSING CONDITIONS IN THE LAW
The Data Controller informs the personal data owner about the personal data it processes in accordance with Article 10 of the KVKK.
The explicit consent of the personal data owner is only one of the legal grounds that make it possible to process personal data in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity. In case the processed data is personal data of special nature; the conditions stated below under the heading 7.1.2. under this section are applied.
Although the legal grounds for the processing of personal data by the Data Controller may vary, all kinds of personal data processing activities are carried out in accordance with the general principles specified in Article 4 of the KVKK.
One of the conditions for processing personal data is the explicit consent of the owner. The explicit consent of the personal data owner must be related to a specific subject, based on information and free will.
For personal data processing activities other than the purpose of processing for the reasons for obtaining personal data, at least one of the conditions in 7.1.1.1.2 - 7.1.1.8 of this title is sought; If one of these conditions is not present, these personal data processing activities are carried out by the Data Controller based on the explicit consent of the personal data owner for these processing activities.
For the processing of personal data based on the explicit consent of the personal data owner, the explicit consent of the personal data owners is obtained through the relevant methods.
The personal data of the data subject may be processed in accordance with the law if it is clearly stipulated in the law.
The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself/herself or another person.
Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process personal data belonging to the parties to the contract.
The personal data of the data subject may be processed if the processing is mandatory for the Data Controller to fulfill its legal obligations as a data controller.
In the event that the data subject has made his/her personal data public by himself/herself, the relevant personal data may be processed.
Personal data of the personal data owner may be processed if data processing is mandatory for the establishment, exercise or protection of a right.
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, data may be processed if it is mandatory for the legitimate interests of the Data Controller.
if the personal data owner does not have explicit consent, provided that adequate measures to be determined by the PDP Board are taken, special categories of personal data are processed by the Data Controller in the following cases:
7.2. Building, Facility Entrances and Personal Data Processing Activities Conducted within the Building Facility
Personal data processing activities carried out by the Data Controller at the entrances of the building facility and within the facility are carried out in accordance with the Constitution, the KVKK and other relevant legislation.
In order to ensure security by the Data Controller, personal data processing activities are carried out for the monitoring of guest entrances and exits with security cameras in the buildings and facilities of the Data Controller.
Personal data processing activity is carried out by the Data Controller through the use of security cameras and recording of guest entrances and exits.
Cameras are divided into two as indoor and outdoor cameras. Indoor cameras are positioned at an angle that will not directly attract our operational transactionss or visitors, except for sinks, rooms, changing cabins and room interiors. The locations of the cameras have been carefully determined to ensure that the monitoring activity is kept to a minimum and limited to the purpose of monitoring.
In this section, explanations will be made regarding the camera surveillance system of the Data Controller and information will be provided on how personal data, confidentiality and fundamental rights of the person are protected.
Within the scope of security camera surveillance activity, the Data Controller aims to protect the interests of the Data Controller and other persons to ensure the security of the Data Controller and other persons.
The Data Controller acts in accordance with the regulations in the KVKK in carrying out camera surveillance activities for security purposes. In order to ensure security in its buildings and facilities, the Data Controller carries out security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the KVKK.
The personal data owner is informed by the Data Controller in accordance with Article 10 of the KVKK. The Data Controller notifies with more than one method regarding the camera surveillance activity of the clarification made regarding general issues. Thus, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data owner and to ensure transparency and enlightenment of the personal data owner.
For the camera surveillance activity by the Data Controller; this Policy is published on the Data Controller's website (online policy regulation) and a notification letter regarding the monitoring is posted at the entrances of the areas where the monitoring is carried out (on-site disclosure).
In accordance with Article 4 of the KVK Law, the Data Controller processes personal data in a limited and measured manner in connection with the purpose for which they are processed.
The purpose of video camera surveillance by the Data Controller is limited to the purposes listed in this Policy. In this direction, the monitoring areas, number and time of monitoring of security cameras are sufficient to achieve the security purpose and are limited to this purpose.
Areas that may result in interference with the privacy of the person in a way that exceeds the security purposes (for example, toilets) are not subject to monitoring.
Necessary technical and administrative measures are taken by the Data Controller to ensure the security of personal data obtained as a result of camera surveillance activity in accordance with Article 12 of the KVKK.
Detailed information on the Data Controller's retention period for personal data obtained through camera surveillance is provided in Article 4.3 of this Policy titled Retention Periods of Personal Data.
If it is understood that the video recordings obtained from the security camera constitute evidence in a criminal investigation before the deletion period, if it constitutes evidence in a criminal investigation, it is kept until it is submitted to the judicial authority.
Video recordings obtained from security cameras are kept for 10 years if it is understood that they constitute evidence in a legal dispute before the deletion period.
Only a limited number of Data Controller operational transactionss have access to the records recorded and stored in digital media with live camera images. The limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality undertaking.
Although the Data Controller has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVKK, personal data shall be deleted, destroyed or anonymized upon the Data Controller's own decision or upon the request of the personal data owner, if the reasons requiring its processing disappear. In this context:
As a result, the Data Controller deletes, destroys or anonymizes the Personal Data collected.
In terms of Deletion, Destruction or Anonymization of Personal Data, the Data Controller creates a separate policy in detail within the scope of the Regulation on Deletion, Destruction or Anonymization of Personal Data.
Personal data subjects have the following rights:
Pursuant to Article 28 of the KVK Law, personal data owners cannot assert the rights of personal data owners listed in 9.1.1. in these matters, since the following cases are excluded from the scope of the KVK Law:
Pursuant to Article 28/2 of the KVKK; In the cases listed below, personal data owners cannot assert their other rights listed in 9.1.1. except for the right to demand compensation for the damage:
Personal Data Owners may submit their requests regarding their rights listed under Title 9.1.1. of this section to the Data Controller free of charge by filling out and signing the Application Form with the information and documents that will identify their identity and by the methods specified below or by other methods determined by the Personal Data Protection Board:
In order for third parties to make an application request on behalf of personal data owners, there must be a special power of attorney issued by the data owner through a notary public on behalf of the person who will make the application.
Pursuant to Article 14 of the KVK Law, the personal data owner may file a complaint to the KVK Board within thirty days from the date of learning the response of the Data Controller and in any case within sixty days from the date of application in case the application is rejected, the response is found insufficient or the application is not responded in due time.
In the event that the personal data owner submits his/her request to the Data Controller in accordance with the procedure in section 9.1.3. of this section, the Data Controller will finalize the relevant request free of charge within thirty days at the latest, depending on the nature of the request. However, if a fee is stipulated by the PDP Board, the fee in the tariff determined by the PDP Board will be charged by the Data Controller from the applicant.
The Data Controller may request information from the relevant person in order to determine whether the applicant is the personal data owner. In order to clarify the issues in the application of the personal data owner, the Data Controller may ask questions to the personal data owner about the application.
The Data Controller may reject the application of the applicant in the following cases by explaining the reason:
The Data Controller may also establish sub-policies for internal use regarding the protection and processing of personal data related to the principles set forth in this Policy, as well as other policies for certain groups of persons, especially operational transactionss.
The principles of the Data Controller's sub-policies for internal use are reflected in publicly available policies to the extent relevant, and it is aimed to inform those concerned within this framework and to ensure transparency and accountability regarding the personal data processing activities carried out by the Data Controller.
Ames Europe Tekstil Sanayi ve Ticaret Anonim Şirketi
ames@hs03.kep.tr
Zafer SB Mahallesi Mümtaz Sokak No:29/0 Gaziemir/İZMİR
0 232 258 01 52
info@ames-europe.com
www.ames-europe.com