1.INTRODUCTION
Pursuant to article 20 of the constitution of the Republic of Turkey, Everyone has the right to request the protection of his/her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his/her personal data, and to be informed whether these are used in consistency with envisaged objectives.
With the Personal Data Protection Law No. 6698 ("PDP Law"), the protection of fundamental rights and freedoms of individuals in the processing of personal data and the obligations of natural and legal persons who process personal data and the procedures and principles to comply with are regulated. The purpose of this policy prepared in this direction is to ensure compliance with the obligations related to the regulations of the PDP Law.
The purpose of this Policy is the protection of personal data of customers, visitors, suppliers of KARCAN KESİCİ TAKIM SANAYİ VE TİCARET A.Ş. (KARCAN) and third parties. Protection of personal data of our employees is managed under the Policy Regarding Processing Personal Data of KARCAN Employees, which is written in line with the principles in this Policy.
In the event that the section which refers to these RULES is approved, it WILL BE DEEMED that all of these rules are known that they have been read and that the Data subject has authorized KARCAN regarding this content
KARCAN has the right to update these regulations on the Protection of Personal Data, partially or completely, within the framework of the changes that can be made in the current legislation, and the legal legislative changes will be deemed binding for both KARCAN and our followers.
2.PURPOSE
Personal Data Protection Law No 6698 was published in the Official Gazette No. 29677 dated April 7, 2016. PDP Law is regulated to protect the fundamental rights and freedoms of natural persons, including the privacy of private life of natural persons whose personal data are processed, and to determine the obligations of natural and legal persons who process personal data. In addition, the Law No. 6563 on the Regulation of Electronic Commerce includes provisions on the protection of personal data. In some cases, criminal sanctions have been stipulated for the protection of personal data through the provisions of the Turkish Criminal Code No.5237.
KARCAN KESİCİ TAKIM SANAYİ VE TİCARET A.Ş. (“KARCAN Personal Data Protection and Processing Policy ("Policy") has been prepared in order to protect fundamental rights and freedoms of people, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.
It has been adopted that the activities carried out by KARCAN are maintained and developed in accordance with the principles in the PDP Law by this policy.
With this Policy, it is aimed to inform KARCAN employees on the following issues:
3. SCOPE
Data subjects whose personal data are processed within the scope of this Policy are categorized as follows:
| Customers | Real persons whose personal data are obtained due to business relations within the scope of activities carried out by KARCAN regardless of any contractual relationship |
| Third Persons | Other natural persons, including but not limited to suppliers, Prospective customers, Prospective employees, complainants, interns, whose personal data are processed within the framework of this Policy, although not defined in the Policy |
4. DEFINITIONS
The definitions used in this Policy are as follows:
| Explicit consent | Consent on a specific subject, based on information and explained with free will, providing permission and authorization to the addressee on the consented subject, |
| Anonymization | rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data, |
| Employee | All natural persons who work affiliated to KARCAN for a definite or indefinite period, |
| Service Provider | Personnel of the company (supplier, subcontractor, etc.) from/to which KARCAN receives and /or provides services |
| Personal Data | All kinds of information regarding an identified or identifiable natural person, |
| Processing of personal data | any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means |
| Personal Data Subject | A natural person whose personal data is processed, who is deemed to be a "concerned person" in the PDP Law |
| Personal Data Subject Application Form | Application form to be used by KARCAN employees when making their applications regarding their rights described in Article 11 of the PDP Law, |
| PDP Law | Personal Data Protection Law No 6698, |
| PDP Board | Personal Data Protection Board, |
| Personal Data of Special Nature | Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data, |
| Data Inventory | Personal data processing activities carried out by KARCAN depending on its business processes; personal data processing purposes, the recipient group to whom the personal data is transferred and the inventory that is created and detailed by associating it with the relevant group of personal data subjects. |
| Data Processor | the natural or legal person who processes personal data on behalf of the data controller upon its authorization. |
| Data Controller | the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system |
| Data Controllers’ Registry | Data controllers’ registry kept by the Presidency under the supervision of the Personal Data Protection Board |
5. GENERAL PRINCIPLES ON THE PROCESSING OF PERSONAL DATA
Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means are included within the scope of the processing of personal data in accordance with the article 3 of PDP Law.
The following principles shall be complied within the processing of personal data:
a) Lawfulness and conformity with rules of bona fides
Our company carries out the personal data processing activities in accordance with the law and the rules of honesty, in accordance with the Constitution, especially the PDP Law and the relevant legislation.
b) Accuracy and being up to date, where necessary
All kinds of administrative and technical measures are taken to ensure the accuracy and currency of personal data while processing personal data by our company.
c) Being processed for specific, explicit and legitimate purposes
Our company clearly and precisely determines the purpose of personal data processing before starting the personal data processing activity.
d) Being relevant with, limited to and proportionate to the purposes for which they are Processed.
Personal data are processed by our company to the extent necessary to achieve the specified goals. Data processing activity is not carried out with the assumption that it can be used later.
e) Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.
Our company stores personal data for a limited period of time stipulated in the PDP Law and related legislation or for the purposes of data processing.
6. CONDITIONS FOR PROCESSING OF PERSONAL DATA
6.1. Conditions for processing of personal data
Our company can process personal data and personal data of special nature with the explicit consent of the personal data subject or without express consent in cases stipulated in Articles 5 and 6 of the PDP Law. KARCAN will be able to process the personal data of the data subject without seeking the explicit consent in cases where one of the following conditions is met;
6.2. Processing of Personal Data of Special Nature:
Our company carries out the processing of personal data specified as special nature that has the risk of creating discrimination when unlawfully processed, in accordance with the data processing conditions set forth in Article 6 of the PDP Law. It is forbidden to process personal data of special nature without the explicit consent of the personal data subject. However, provided that adequate measures determined by the PDP Board are taken, personal data of special nature may be processed in the following cases, altough there is no explicit consent of the personal data subject:
a. Processing of Personal Health Data:
Personal health data may be processed in the presence of one of the following conditions; provided (i) adequate measures to be stipulated by the PDP Board are taken, (ii) acted in accordance with the general principles, (iii) being under the obligation of secrecy:
b. Processing of Personal Data of Special Nature Other Than Health and Sexual Life
The processing of data within this scope will be possible in cases with the explicit consent of the personal data subject or in cases stipulated by law.
7. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY
Categories of Personal Data Processed by Orient Sigorta
| Personal Data Category | Explanation | Data Subject Category Related to the Relevant Personal Data |
|---|---|---|
| Prospective Customer Data | Information obtained and produced about the relevant person as a result of the operations carried out by our business units in the first step in order to benefit from commercial activities | Prospective Customers |
| Dealer / Agent Data | Natural person who makes sale in a certain place or region on behalf of the Company based on the contract with the Company on a permanent basis, who carries out the preparatory work before the conclusion of the contract and assists in the execution of the contract and in the payment of the compensation, by using the practices of the Company | Customers, Agents, Brokers, Agent Partners |
| Information obtained and produced about the person concerned as a result of our commercial activities and operations carried out by our business units within this framework | Customers | |
| Customer Data | Other natural persons whose personal data are processed, including but not limited to suppliers, guarantors, victims /beneficiaries, family members, etc. | Suppliers |
| Third Parties | Information required to present the product or service | Suppliers |
8.LEGAL LIABILITIES
In accordance with the PDP Law, KARCAN has legal obligations within the scope of protection and processing of personal data. These obligations are listed as follows:
8.1. Disclosure Liability
KARCAN, is obliged to enlighten the person concerned and to inform the relevant person on the following issues within the scope of the relevant legislation regulation during the collection of personal data:
KARCAN will inform the persons concerned about the processing of their personal data in different vehicles within the scope of the disclosure obligation.
8.2. Information Obligation
The rights of the person from whom the personal data is provided, regulated in Article 11 of the PDP Law, regarding the protection of personal data (Your Rights Section of this document) are as stated. In accordance with the PDP Law, KARCAN is obliged to evaluate the requests submitted regarding the said rights and to inform the Relevant Persons within the scope of the procedure and scope in line with their requests, and this notification will be made within the period prescribed by the legal legislation.
The said requests should be submitted duly to KARCAN in writing or through other methods to be determined by the PDP Board by the relevant Persons. KARCAN is working to provide more opportunities to the Relevant Person to use his application and rights in order not to contradict the decision of the Board on this matter.
8.3. Obligation to ensure data security and confidentiality
Our Company, in accordance with Article 12 of the PDP Law, takes all necessary technical and administrative measures to prevent unlawful processing of personal data and unlawful access to personal data, and to ensure the appropriate level of security in order to preserve personal data.
8.3.1. Technical Measures Taken to Ensure the Legal Processing of Personal Data and to Prevent Unlawful Access to Personal Data
KARCAN has taken all kinds of technical and technological security measures in order to protect your personal data and has taken your personal data under protection against possible risks.
8.3.2. Administrative Measures Taken to Ensure the Legal Processing of Personal Data and to Prevent Unlawful Access to Personal Data
8.3.3. Measures to be Taken in Case of Unlawful Disclosure of Personal Data
In the event that the processed personal data is obtained by others through illegal means, our Company will notify the relevant data subject and the Board as soon as possible.
8.4. Obligation to register with the Data Controllers’ Registry
KARCAN is obliged to register with the Data Controllers’ Registry within the period determined and announced by the PDP Board in the Regulation and other legislation, pursuant to Article 16 of the PDP Law.
9. RULES OF PROCESSING PERSONAL DATA
9.1. Principles to be followed regarding the processing of personal data:
All personal data collected will be processed in accordance with the principles specified in Article 4 of the PDP Law and the provisions specified in Articles 5 and 6 of the same law. KARCAN is responsible for processing personal data linked to the purpose, limited and in a proportionate manner pursuant the law and honesty rules regarding the processing of personal data in accordance with Article 4 of the PDP Law, accurately and when necessary, pursuing specific, clear and legitimate purposes.
In this context;
• KARCAN is obliged to act in accordance with the rules, prohibitions, rights and principles stipulated by laws and other legal regulations during the processing of personal data.
• KARCAN will be transparent during the processing of personal data due to the necessity of complying with the rules of honesty and will comply with the obligation of informing and enlightening.
• KARCAN will be able to process personal data for legitimate and legal reasons, that is, only for limited purposes that are legally specific and legal, within the scope of the permission granted to it in cases where it is required to obtain permission.
• KARCAN will process personal data to the extent necessary. In this context, taking into account the principle of proportionality, personal data will not be used except for the activities carried out by KARCAN and the cases required by the purpose within the scope of these activities. In addition, the processing of unnecessary or unneeded personal data will be avoided by exceeding the measure to achieve the goal.
• KARCAN will keep personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and after the end of this period, it will not retain this data (if possible) without anonymizing it for any reason.
10. PROCESSING PURPOSES OF PERSONAL DATA AND RETENTION PERIOD
10.1. Purposes of Processing Personal Data
KARCAN processes personal data in accordance with Articles 5 and 6 of the KVK Law, for the following and similar purposes, in cases where approval is required, with the consent of the data subject within the scope of the legal legislation.
Personal and contact data: Name-surname, telephone, e-mail information is processed by Human Resources, Information Technologies and Customer Relations departments for the following purposes;
Supplier Data; are processed by the Purchasing and Administrative Affairs department in order to maintain the relationship and transactions with the company suppliers.
They are processed by the accounting department in order to carry out the BA/BS reporting process and transmitted to the certified public accountants and their employees.
It is processed by the administrative affairs department in order to follow up the cargo transactions.
10.2. Retention Periods of Personal Data
Our company determines whether a period of time is stipulated in the relevant legislation for the retention of personal data. If a period is stipulated in the relevant legislation, it complies this period; if a period of time is not stipulated, it retains the personal data for the period required for the purpose for which they were processed. If the purpose of processing personal data has expired and the retention periods determined by the relevant legislation and/or our Company have expired, they can only be retained for the purpose of constituting evidence in possible legal disputes, asserting of the rights related to personal data or establishing a defense. Personal data are not retained by our Company based on the possibility of future use.
11. PERSONAL DATA TRANSFER POLICY
The procedures and principles to be applied in personal data transfer are regulated in Articles 8 and 9 of the PDP Law, and the personal data and personal data of special nature of the personal data subject can be transferred to third parties at home and abroad. Your personal data may be processed by KARCAN for the performance of the services pursuant to the Law and other legislation (Including but not limited to the Insurance Law, Tax Procedure Law, Attorneyship Law No. 1136 and other regulations regarding these laws, regulations of supervisory and regulatory institutions and organizations and the cases required by public authorities) and can be shared with the third parties that KARCAN receives service, contracted institutions, attorneys for the resolution of legal disputes, natural and legal persons with whom we have a proxy relationship, our business partners, domestic/foreign persons and institutions from which we receive data storage service in the cloud, domestic / foreign organizations that we have contract for sending of commercial electronic messages, and other third parties. However, in any case, personal data cannot be transferred without the express consent of the personal data subject other than the exceptional cases.
11.1. Transfer of Personal Data at Home
In accordance with Article 8 of the PDP Law, the transfer of personal data at home will be possible provided that one of the conditions specified in the 6th section titled "Processing of Personal Data" of this Policy is met.
11.2. Transfer of Personal Data Abroad
In accordance with Article 9 of the PDP Law, existence of one of the following issues are sought besides compliance with the conditions for transfer at home in order to transfer personal data abroad:
11.3. Groups of Person to Whom Personal Data is Transferred by our Company
Our company may transfer the personal data of personal data subjects within the scope of this Policy in accordance with Articles 8 and 9 of the PDP Law and within the framework of the purposes to the groups of person listed below:
| GROUPS OF PERSON | DEFINITIONS | PURPOSE OF TRANSFER |
|---|---|---|
| Legally Authorized Public Institutions and Organizations | Public institutions and organizations authorized to obtain the information and documents of our Company in accordance with the provisions of the relevant legislation | Limited to the purpose requested by the relevant public institutions and organizations within the framework of their legal authority |
| Legally Authorized Private Law Persons | Private law persons authorized to receive information and documents from our Company in accordance with the provisions of the relevant legislation. | Limited to the purpose requested by the relevant private law persons within the legal authority. |
12. DELETION, DESTRUCTION AND ANONYMIZING OF PERSONAL DATA
Pursuant to Article 7 of the PDP Law, although the personal data has been processed in accordance with the relevant legislation, if the reasons for its processing disappear, the personal data will be deleted, destroyed or anonymized by our Company, either ex officio or upon the request of the personal data owner.
The procedures and principles regarding this issue will be fulfilled in accordance with the PDP Law and the secondary legislation to be enacted based on this Law.
13. RIGHTS OF PERSONAL DATA SUBJECTS AND EXERCISE OF THESE RIGHTS
In accordance with Article 13 of the PDP Law, the evaluation of the rights of personal data subjects and the notification to be made to the personal data subjects are carried out through the KARCAN Personal Data Owner Application Form as well as this Policy. Personal data owners can convey their complaints or requests regarding the processing of their personal data within the framework of the principles specified in the relevant form.
13.1. Right to Apply
In accordance with Article 11 of the PDP Law, anyone whose personal data is processed can apply to our Company and make requests regarding the following issues:
In accordance with the PDP, the Data Subject can request the following regarding data of the person concerned;
Personal data subjects may submit their requests regarding their rights specified in the law, in writing (by identity authentication on documents received by hand or through a notary public) or Registered Electronic Mail (KEP) address, Secure Electronic Signature, Mobile Signature or or by using the electronic mail address previously notified to the data controller by the data subject and registered in the data controller's system.
Title: KARCAN KESİCİ TAKIM SANAYİ VE TİCARET A.Ş.
Central Civil Registration System no: 0523060261000001
KEP address: [email protected]
E-mail address: [email protected]
Mailing Address: Organize Sanayi Bölgesi 20. Cadde No:31, 26110 Odunpazarı / ESKİŞEHİR
Data Controller: KARCAN KESİCİ TAKIM SANAYİ VE TİCARET A.Ş.
13.2. Situations Excluded from the Scope of the Right to Apply
In accordance with Article 28 of the PDP Law, it will not be possible for personal data subjects to claim their rights in the following cases::
a. personal data is processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with,
b. personal data is processed for the purpose of official statistics and for research, planning and statistical purposes after having been anonymized,
c. personal data is processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute a crime,
d. personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned to maintain national defence, national security, public security, public order or economic security,
e. personal data is processed by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings or execution proceedings.
In accordance with paragraph 2 of Article 28 of the PDP Law, it will not be possible for personal data subjects to claim their rights (except the right to demand compensation):
a. is required for the prevention of a crime or crime investigation.
b. is carried out on the data which is made public by the data subject himself.
c. is required for inspection or regulatory duties and disciplinary investigation and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of public institution, assigned and authorised for such actions, in accordance with the power conferred on them by the law.
d. is required for protection of State’s economic and financial interests with regard to budgetary, tax-related and financial issues.
13.3. Response Procedure
Our Company will conclude the application requests made by the personal data subject free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request in accordance with Article 13 of the PDP Law.
The application of the personal data owner may be rejected in the following cases:
a. Prevention of the rights and freedoms of other people
b. Requiring disproportionate effort
c. Information being open to public
d. Endangering the privacy of others
e. Existence of one of the situations out of the scope pursuant to the PDP Law.
14. PUBLICATION OF THIS DATA POLICY
This data policy and rules will be notified to users who have personal data together with the disclosure obligation within the scope of the legal legislation and will also be published on the websites of KARCAN. This Policy may be revised by KARCAN if deemed necessary. In case of revision, the most up-to-date version of the Policy will be posted on the website of the Company.
