Personal Data Protection and Processing Policy
KVKK Law on Protection of Personal Data No. 6698 published in the 'Resmi Gazete' dated 7 April 2016 and numbered 29677.
The Data Processor person who processes personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
The Relevant Person, The person whose personal data is processed. The Data Controller person or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Explicit Consent Consent about a specific subject, based on information and expressed with free will. Destruction Deletion or anonymization of personal data.
Recording Media, Any media containing personal data that is fully or partially automated or processed non-automatically, provided that it is a part of any data recording system.
Personal Data, Any information relating to an identified or identifiable person. Sensitive Personal Data about the race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. 'Personal Data Processing - KVKK' means that the data is obtained, recorded, stored, preserved, changed, rearranged, disclosed, transferred, taken over, made available, fully or partially automatically or by non-automatic means provided that it is a part of any data recording system. All kinds of operations performed on data such as bringing, classifying or preventing its use. 4 Anonymization of Personal Data Making personal data incapable of being associated with an identified or identifiable person under any circumstances, even by matching them with other data. Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and unusable for the relevant users in any way. Destruction of Personal Data, The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. The deletion, destruction or anonymization process to be carried out ex officio at repetitive intervals in case all the conditions for processing personal data in the Periodic Destruction Law are no longer valid. Regulation on the Deletion, Destruction or Anonymization of Personal Data, which was published in the 'Resmi Gazete' dated 28 October 2017 and numbered 30224 and entered into force as of 1 January 2018.
Company Trend Büyük Mağazacılık SAN. and TİC. AS.
KVK Board/ Board Personal Data Protection Board.
KVK Authority Personal Data Protection Authority.
With this Policy, it is aimed to set forth the general principles and principles of the Company regarding the protection and processing of real person data subject to personal data processing activities within the scope of KVKK and to fulfill the obligations set forth in the legislation regarding these issues. The purpose of this Policy is to regulate the methods and principles to be followed in order to ensure that the personal data obtained by the Company is processed and protected in accordance with KVKK.
This Policy is implemented in all activities managed by the Company for the processing and protection of personal data. This Policy, the Company's business processes and activities contacted during; * employee candidates, * employees, family members of employees, * Company officials, * potential customers, employees / partners / officials of potential customers, * employees / partners / officials of customers, customers, * employees / partners / officials of suppliers, suppliers, * business partners relates to all personal data processed by business partners' employees/partners/authorities, *lessors, lessees' officials/partners/employees, *dealers, dealers' officials/partners/employees, *Website users, Site visitors, alternative buyers, and *other third parties . This Policy is implemented by the Company together with other relevant and detailed data procedures in the activities carried out for the processing and protection of all personal data.
3) IMPLEMENTATION OF THE POLICY
4) ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
For the protection of personal data of the Company,
• Informing and enlightening the relevant persons regarding the use of their personal data, obtaining their explicit consent when necessary, • Determining the personal data obtained and processed by the Company, and risk analysis regarding the risks that may arise regarding the protection of this data. 7 • Preparing this personal data protection and processing policy regarding data processing activities carried out in business processes as required by the legislation, determining the procedures and principles to be applied during data processing, • Preventing the unlawful processing of personal data being processed pursuant to Article 12 of the KVKK, takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful access to personal data and to ensure the preservation of personal data. The measures taken in this context are regulated by the Company's Data Retention and Destruction, Data Breach Intervention and Related Person Notification Management Policies.
5) PROTECTION OF PRIVATE PERSONAL DATA
Company; carries out the necessary activities to ensure the security of the health data of its employees and takes all kinds of technical and administrative measures in order to comply with the legal requirements and the adequate measures determined by the Board in order to ensure that these data are processed in accordance with the law.
6) PERSONAL DATA PROCESSING POLICY
6.1 Principles to Follow Regarding the Processing of Personal Data All personal data processed by the Company are processed in accordance with KVKK and relevant legislation. The company, pursuant to Article 4 of the KVKK; processes personal data in accordance with the law and the rules of honesty, accurate and when necessary, pursuant to current, specific, clear and legitimate purposes, in connection with the purpose, in a limited and measured manner. In this context; Processing in Compliance with the Law and the Rule of Integrity: The Company acts in accordance with the principles introduced by legal regulations and the rule of trust and honesty in the processing of personal data. Ensuring Personal Data Are Accurate and Up-to-Date When Necessary: The Company ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of the person concerned and the Company's legitimate interests. Processing for Specific, Explicit and Legitimate Purposes: The Company clearly and precisely determines the legitimate and lawful purpose of processing personal data. The Company processes personal data in connection with the products and services it offers and as much as is necessary for them. The purpose for which personal data will be processed by the Company is set forth before the personal data processing activity begins. Being Related to the Purpose for which they are Processed, Limited and Measured: The Company processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed. In this context, the Company considers the principle of proportionality in the processing of personal data, and does not use personal data other than as required for the purpose. In addition, regarding the processing of personal data, the balance of interests of the data controller and the person concerned is observed. 8 Retaining Personal Data for the Period Envisioned in the Relevant Legislation or Required for the Purpose of Processing: The Company retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, it first determines whether a period is foreseen for the storage of personal data in the relevant legislation, acts in accordance with this period if a period is determined, and if a period is not determined, it stores the personal data for the period required for the purpose for which they are processed. Personal data is deleted, destroyed or anonymized by the Company in the event that the period expires or the reasons requiring the processing of the data are eliminated in line with the request of the person concerned. 6.2. Actions of the Company Regarding the Processing of Personal Data a) Collection: The Company may obtain personal data related to its business, in line with pre-defined and lawful purposes. b) Processing: The Company may use personal data in relation to its business, within the scope of confidentiality obligations to which the Company is a party, and if the purpose for which the data is obtained is in compliance with the law. c) Data Reduction (data minimization): It can obtain and use personal data in accordance with the purpose of use of personal data, related to this purpose and in limited cases. It does not obtain and use the data that is determined not to be necessary and ensures the destruction of the obtained ones. d) Retention: Personal data only, i. As long as it is necessary for the purpose of the Company's use of the data, and ii. It can be stored under the conditions regulated by law or where permitted. The Company deletes, destroys or permanently anonymizes all other personal data it uses. e) Transfer: Unless otherwise agreed, it can only transfer personal data in accordance with applicable laws and when necessary. 6.3. Purposes of the Company for Processing Personal Data The Company informs the persons concerned during the acquisition of personal data in accordance with Article 10 of the KVKK. In this context, the Company clarifies the identity of itself and, if any, its representative, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the legal reason, and the rights of the persons concerned under Article 11 of the KVKK. The Company processes personal data limited to the following conditions in the personal data processing conditions specified in Articles 5 and 6 of the KVKK and for the following purposes. 6.3.1 Conditions 9 Personal data may be processed during the activities of the Company, if it is expressly stipulated in the law. The processing of personal data by the Company is directly related to and necessary for the conclusion or performance of a contract; Personal information before the contract and at the beginning of the contract; It may be processed for the purpose of preparing an offer, preparing a purchase form or meeting the demands of the person concerned in connection with the contract result. During the contract preparation process, the relevant persons can be contacted in the light of the information they provide. The processing of personal data is mandatory for the Company to fulfill its legal obligations; The processing of personal information is free even if it is legally requested or permitted to do so. Provided that personal data is made public; may be processed by the Company on a limited basis for publicizing purposes. It may be processed if the processing of personal data by the Company is necessary for the establishment, exercise or protection of the rights of the Company or the relevant person or third parties. Provided that it does not harm the fundamental rights and freedoms of the persons concerned, it may also be processed in cases where it is necessary to process personal data for the legitimate interests of the Company. Legitimate interests are those that comply with law, morality and good manners, as well as material interests. Planning, execution, promotion and execution of company activities, analysis for the development and personalization of the service offered by the Company and informing users, execution of organization/event and sponsorship processes, execution of vehicle tracking system and physical space security Situations where the company has legitimate interests in processing personal data example can be given. Personal data may also be processed if the personal data processing activity by the company is necessary for the protection of the life or physical integrity of the person or another person, and in this case, the personal data subject is unable to express his consent due to actual impossibility or legal invalidity. In the absence of the above-mentioned conditions, the Company applies for the explicit consent of the person concerned in person or through the relevant channels in order to process personal data. In any case, the processing of sensitive personal data regarding the health of the person concerned is subject to express consent. 6.3.2 Objectives In order to ensure the execution of the company's human resources policies; recruitment of suitable personnel for vacant positions, planning and execution of fringe benefits and benefits for employees, planning and execution of employee access authorizations, monitoring and/or supervision of employees' business activities, fulfillment of employment contract and/or regulatory obligations for company employees, occupational health and safety Planning and execution of internal/external training activities, Project, sales, marketing, maintenance and technical support processes and operations, financial operations, communication, customer relationship management and purchasing operations and logistics activities (demand, offer, evaluation, order, budgeting, contract, etc.), planning and execution of customer relationship management processes, planning and/or customer satisfaction processes Follow-up of customer requests and/or complaints, Organization and event management and sponsorship activities, Management of advertisement/campaign/promotional processes and planning and execution of communication and marketing activities, Execution of contract and tender processes, Planning and execution of website usage procedure, Information Planning, auditing and executing security processes, creating and managing information technology infrastructure, providing Information Technology (IT) services (this includes account management, data storage, maintenance, support), financial and/or accounting and legal follow-up. Carrying out audit activities, Planning and executing the necessary operational activities to ensure that the company's activities are carried out in accordance with company procedures and/or relevant legislation, Ensuring that the data is accurate and up-to-date, Providing information to authorized persons and/or organizations based on the legislation, The company's vehicle tracking system ensuring physical space security.
7) TRANSFER OF PERSONAL DATA
8) RIGHTS OF THE RELATED PERSON
KVKK m. Pursuant to 11, as a personal data owner, your requests regarding the implementation of KVKK and any information requests regarding the processing of your personal data; You can send it to the KEP address email@example.com with your secure electronic or mobile signature or to Maltepe Mahallesi Davutpaşa Caddesi NO: 129 Zeytinburnu İSTANBUL in person or in writing via a notary public. In addition, if you have an e-mail address previously notified to us by you and registered in our system, you can send your requests to firstname.lastname@example.org with this e-mail address. Communiqué on Application Procedures and Principles to Data Controller m. 5, your name, surname, your signature if your application procedure is written in your application, your Turkish identity number if you are a citizen of the Republic of Turkey, your passport number or identity number if you are a foreigner, your address of residence or workplace for notification, e-mail address, telephone and It is mandatory to include your fax number and the subject of your request. In this context, your applications will be finalized as soon as possible and within 30 days at the most, free of charge. However, if the transaction requires an additional cost, the fee in the tariff determined by the KVK Board may be charged. In this context, we would like to state that you have the following rights as a personal data owner. 1. Learning whether your personal data is being processed, 2. Requesting information if your personal data has been processed, 3. Learning the purpose of processing your personal data and whether they are used in accordance with its purpose, 4. Knowing the third parties to whom your personal data has been transferred, 5. Personal data Requesting correction of your data if it is incomplete or incorrectly processed, Requesting the notification of third parties to whom your data has been transferred, 8. Objecting to the emergence of a result against you by analyzing your processed data exclusively through automated systems 9. Requesting the compensation of the damage in case you suffer damage due to unlawful processing of your personal data don't. Although it has been processed in accordance with the provisions of the KVKK and other relevant legislation, your personal data will be deleted, destroyed or anonymized by us, ex officio or upon your request, in case the reasons requiring processing are eliminated.
9) DELETING, DESTROYING OR ANONYMOUSING PERSONAL DATA BY THE COMPANY
In cases where The Company has the right and/or obligation to preserve personal data, limited to the period required by the relevant legislation or the purpose of processing, the right to refuse to fulfill the request of the person concerned is reserved. However, although the personal data has been processed in accordance with the provisions of the relevant law in accordance with the regulation of Article 7 of the KVKK, in the event that the reasons for processing disappear, it is deleted, destroyed or anonymized ex officio or if the person concerned makes a request in this regard. In this context, the Personal Data Storage and Disposal Policy and the Related Person Notification Management Policy have been prepared. Our company shows the utmost care and attention to the safe storage of personal data, unlawful processing and prevention of access, and the provisions of Article 12 and Article 6 of the KVKK and the provisions of the Regulation, the general principles stated above, this Policy and KVK. In accordance with the decisions of the Board, all necessary technical and administrative measures are taken according to the relevant technological possibilities and the cost of implementation.
10) DATA PROTECTION OFFICER
Responding to the applications, taking the necessary actions regarding the applications, in order to control and control whether the personal data used within the scope of company activities are legally processed, protected, stored, transferred and destroyed in accordance with the provisions of the relevant legislation, in order to meet the demands and requests of the person concerned, Data Protection Officer regarding the issues of updating the records, checking and updating the inventory and policies, managing the periodic destruction processes, making the necessary correspondence with the KVK Institution, taking the necessary precautions within the scope of the current case law, providing and updating the necessary controls regarding data protection. and it has been ensured that all necessary activities are carried out within the scope of the aforementioned legislation, including but not limited to those listed.