EKOL DATA POLICY
1. PURPOSE
Ekol Hazır Giyim Tic Ltd. Şti (''EKOL''); The processing and data of real persons, including our members, customers, visitors, suppliers and employees, in accordance with the relevant legislation, in particular the Constitution of the Republic of Turkey, the International Conventions on human rights to which our country is a party, and the Law on the Protection of Personal Data No. 6698 (“KVKK”). It is our priority to ensure that the rights of the persons who are processed are used effectively.
Therefore, but not limited to those listed; We carry out the processes regarding the processing, storage and transfer of all personal data of our employees, suppliers, customers, visitors, members, users visiting our stores, website and mobile applications, in short, in accordance with the EKOL Personal Data Protection and Processing Policy (“Policy”).
Protecting personal data and observing the fundamental rights and freedoms of natural persons whose personal data are collected are the basic principles of our policy regarding the processing of personal data. For this reason, we carry out all our activities in which personal data are processed, taking into account the protection of privacy, the confidentiality of personal information, the confidentiality of communication, freedom of thought and belief, and the right to use effective legal remedies.
For the purpose of protecting personal data, we take all administrative and technical protection measures required by the nature of the data in accordance with the legislation and up-to-date technology.
This Policy explains the methods we follow for the processing, storage, transfer, deletion or anonymization of personal data shared during our commercial, promotion-marketing or social responsibility and similar activities within the framework of the principles mentioned in the KVKK.
2. SCOPE
All personal data processed by the Company, including our visitors, business contacts, business partners, employees, suppliers, members, third parties, are within the scope of this Policy.
Our policy is implemented in all activities related to the processing of personal data owned or managed by the Company, and has been handled and prepared by considering the KVKK and other relevant legislation regarding personal data and international standards in this field.
3. DEFINITIONS and ABBREVIATIONS
In this section, special terms and phrases, concepts, abbreviations, etc. in the Policy. briefly explained.
EKOL Sti.
· Explicit Consent : Consent on a specific subject, based on information and free will, and with a clear, unambiguous, and limited to that transaction.
· Anonymization: It is the rendering of personal data that cannot be associated with an identified or identifiable natural person under any circumstances, even by matching them with other data.
· Employee : Company Personnel.
· Personal Data Owner (Relevant Person): The natural person whose personal data is processed.
· Personal Data : Any information relating to an identified or identifiable natural person.
Special Quality Personal Data : People's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, health information, fingerprints, clothing, association, foundation or union membership, health, sexual life, criminal conviction , and data on security measures, as well as biometric and genetic data.
· Processing of Personal Data: Obtaining, recording, storing, keeping, changing, rearranging, disclosing, transferring, taking over, making available, of personal data fully or partially automatically or non-automatically provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.
· Data Processor : The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
· Data Controller : The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
· KVK Board
· KVK Authority : Personal Data Protection Authority.
· KVKK : The Law on Protection of Personal Data published in the Official Gazette dated 7 April 2016 and numbered 29677.
· Policy : EKOL Personal Data Protection and Processing Policy.
4. ROLE AND RESPONSIBILITIES
4.1. Board of Directors
The Board of Directors is responsible for the oversight of the determination and operation of notification, review and sanction mechanisms in case of non-compliance with the Policy, rules and regulations.
Personal Data Protection and Processing Policy has been approved by the Board of Directors.
It is the authorized approval mechanism to ensure that the policy is created, implemented and updated when necessary.
4.2 Control Unit
By taking the necessary measures for the compliance of the foreign service companies with the Policy, together with the employees involved.
The Audit Unit is responsible for examining the issues in order to examine the issues contrary to the policy.
4.3 Information Systems Commission
The Information Systems Commission is responsible for the preparation, development, execution and updating of this Policy. It evaluates this Policy in terms of timeliness and development needs when necessary. It is the responsibility of the Information Systems Commission Manager to publish the prepared document on the institution portal.
5. LEGAL OBLIGATIONS
Legal obligations within the scope of protection and processing of personal data as a data controller pursuant to KVKK are listed below:
5.1. Our obligation to inform
While collecting personal data as a data controller;
· The purpose for which your personal data will be processed
Our identity, information about the identity of our representative, if any
To whom and for what purpose your processed personal data can be transferred
The way we collect the data and the legal reason
We have an obligation to inform the Related Person about the rights arising from the law.
As a company, we take care to ensure that this Policy, which is open to the public, is clear, understandable and easily accessible.
5.2. Our obligation to ensure data security
As the data controller, we take the administrative and technical measures stipulated in the legislation to ensure the security of the personal data in our responsibility. Obligations and measures regarding data security are detailed in the 9th and 10th sections of this Policy.
6. CLASSIFICATION OF PERSONAL DATA
6.1. Personal data
Personal data; Any information relating to an identified or identifiable natural person.
The protection of personal data is only related to real persons, and information belonging to legal entities that do not contain information about the real person is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities.
6.2. Special categories of personal data
Data on people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, their clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions, and security measures, and biometric and genetic data are privately owned. qualified personal data.
7. PROCESSING PERSONAL DATA
7.1. Our personal data processing principles
We process personal data in accordance with the principles below.
7.1.1. Processing in accordance with the law and honesty rules
We process personal data in accordance with the rules of honesty, transparently and within the framework of our obligation to inform.
7.1.2. Ensuring that personal data is accurate and, where necessary, up to date
We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also allow the Personal Data Owner to apply to us to update their existing data and to correct any errors in their processed data, if any.
7.1.3. Processing for specific, explicit and legitimate purposes
Personal data as a company; We operate within the scope of our legitimate purposes, the scope and content of which are clearly defined, to continue our activities within the framework of the legislation and the ordinary course of commercial life.
7.1.4. Personal data must be connected, limited and measured for the purpose for which they are processed.
We process personal data in connection with the purpose we have clearly and precisely determined, in a limited and measured way.
We avoid the processing of personal data that is not relevant or does not need to be processed. For this reason, we do not process personal data of a special nature unless there is a legal requirement, or we obtain express consent on the subject when we need to process it.
7.1.5. Storage of personal data for the duration of our legitimate commercial interests and stipulated by legal regulations
Many regulations in the legislation require personal data to be kept for a certain period of time. For this reason, we keep the personal data we process for as long as required by the relevant legislation or for the purposes of processing personal data.
In the event that the storage period stipulated in the legislation expires or the purpose of processing disappears, we delete, destroy or anonymize personal data. Our principles and procedures regarding retention periods are stated in 9.1 of this Policy. detailed in the article.
7.2. Our purposes for processing personal data
We process personal data for the purposes listed below:
· Conducting Our Commercial Activities
· Providing support services within the scope of the contract and within the framework of service standards
· To identify the preferences and needs of our members/visitors and to shape and update the services we provide within this scope
· Ensuring that our legal obligations are fulfilled as required or mandated by legal regulations
· Evaluating job applications
· Liaising with people who have a business relationship with the Company
· Marketing
· Compliance management
· Vendor/supplier management
· Legal reporting
· Billing
· executing the EKOL Membership System
· Ensuring communication between EKOL employee candidates and employers
· Managing call center processes
· Providing corporate communication
· Individualizing EKOL favorite campaigns and suggesting campaigns and promotions according to their interests
· liaising between the company and the transportation or technical service after purchasing the product specific to EKOL
· sending newsletters by SMS, e-mail, engaging in marketing activities or making notifications.
7.3. Processing of special categories of personal data
Special categories of personal data are processed by us by taking the administrative and technical measures envisaged by the laws and by the KVK Board, if there is express consent, or when required by the legislation.
Since sensitive personal data related to health and sexual life can be processed by persons or authorized institutions and organizations under the obligation of keeping confidentiality, for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, It is not processed by us other than the data of our employees. Such data belonging to our employees may be processed by the persons stipulated by the law.
7.4. Processing of personal data collected through cookies
We use cookies to improve the functioning and use of our websites or mobile applications, and we try to make the time you spend on our digital platforms more productive and enjoyable. In addition, we use some cookies to remember the choices you make on our websites and mobile applications, thus providing you with an improved and personalized experience.
We can collect your personal data, process, transfer and store the data we collect through cookies on our digital platforms.
You can find detailed information about the cookies we use in the "EKOL Privacy Policy".
7.5. Processing personal data for human resources and employment purposes
Your CV, diploma, photograph, etc. that you share with us during the application process as an employee candidate. We process, store and transfer your personal data in other documents for the purpose of job application evaluation. The processing, transfer and storage of the personal data you share as an employee candidate is within the scope of this Policy.
Personal data of the Employee; Apart from this Policy, it is collected, processed and stored within the framework of EKOL Human Resources.
7.6. Processing of personal data collected within the scope of other memberships provided through the EKOL Membership system
To become a member of their digital platform through the EKOL ONLINE system, visitors;
· Name surname
· E-mail address
· Phone number
· Date of Birth-TC ID
They create a membership in the system by sharing their information with us. (Let's confirm the information.)
Deletion, destruction or anonymization of personal data within the scope of this platform is within the scope of Article 9 of this Policy.
Deletion, destruction or anonymization of personal data within the scope of this platform is within the scope of Article 9 of this Policy.
7.7. Processing of personal data collected within the scope of Job Application
Personal data obtained through application forms and applications made to intermediary institutions will be recorded to be used for the evaluation of the job application.
They are advised to review their personal data processing and privacy policies.
Those who apply with the Application Form;
· Identity information (name, surname, date of birth, TR ID number)
· Contact information (address, e-mail address, phone number, etc.)
· Educational information (graduated schools, etc.)
· Work experiences
· Foreign language knowledge
· Certificate
· Reference
· Photograph
They create a resume by sharing their information. Depending on the nature of the application, the employer may request additional photographic-health data from the member who creates the CV in order to evaluate whether he is qualified for the job in question. The requested health information is processed only for employment purposes within the scope of the relevant legislation.
Identity and contact information; It is processed for the purpose of creating a pool of applicants for job and employee finding, creating a resume, communication, business development, marketing and information. Social network information of applicants, existing social information and personal data collected through social network accounts are processed in order to increase the user experience by conducting and developing operational activities such as business development and marketing.
The information shared by the applicants within the scope of the CV can be viewed by the employer companies. Within the scope of the legislation, it stores the identity, education and profession information of the APPLICANT and can transfer these data to solution partners, public institutions and organizations upon request.
Deletion, destruction or anonymization of personal data within the scope of this platform is within the scope of Article 9 of this Policy. In the event of a negative result of the job application process, the processing and data security of personal data shared with the employer is the responsibility of the employer.
7.8. Processing of personal data collected within the scope of Purchase Transactions
When a purchase is made, the financial information of the CUSTOMER is transferred to individuals and institutions such as banks or credit card companies to carry out the transaction.
During the purchase, data such as invoice and payment information of the customer (name, surname, tc, phone number, invoice address), invoices sent and receipt samples of payments received from members, payment number, invoice amount, invoice number, invoice date are obtained. . These data are; managing the invoicing process, accounting, after-sales services, communication, marketing, auditing, control, and payment service providers. When the purchase is made, the financial information of the customer is transferred to persons such as banks or credit card companies in order to carry out the transaction. Credit card information is not kept in EKOL databases.
During shopping, video recording is made in stores for security purposes and to view cashier transactions.
The above-mentioned data is transferred in accordance with article 8 of this Policy and shared with third parties.
Deletion, destruction or anonymization of personal data within the scope of this platform is within the scope of Article 9 of this Policy.
7.9. Exceptional cases where express consent is not sought in the processing of personal data
In exceptional cases listed below and arising from the law, we may process personal data without express consent:
· Clearly stipulated in laws
· It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract
· Data processing is mandatory for the establishment, exercise or protection of a right
· We are required to process your data for our legitimate interests as data controller, provided that it does not harm fundamental rights and freedoms.
Exceptional cases where sensitive personal data can be processed without the explicit consent of the Relevant Person are specified in article 7.3 of this Policy.
8. TRANSFERRING PERSONAL DATA
8.1. Transfer of personal data to the country
As a company, we act in line with the decisions and regulations stipulated in the KVKK and taken by the KVK Board regarding the transfer of personal data.
Without prejudice to the exceptional circumstances in the legislation, personal data and sensitive data are not transferred by us to other real persons or legal entities without the explicit consent of the Relevant Person.
In exceptional cases stipulated by the KVKK and other legislation, the data may be transferred to the authorized administrative or judicial institution or organization in the manner stipulated in the legislation and within the limits, without the explicit consent of the Relevant Person.
In addition, with the exceptional cases stipulated by the legislation;
· in cases described in the Policy
· In cases listed in the Policy regarding personal data of special nature, with the taking of the measures stipulated by the KVK Board and the relevant legislation, and for the health of the Relevant Person and the personal data of special nature, only for the protection of public health, the execution of preventive medicine, medical diagnosis, treatment and care services, the planning and management of health services and financing, It can be transferred to persons or authorized institutions and organizations that are under the obligation to keep secrets without seeking explicit consent.
8.2. Transfer of personal data abroad
As a rule, personal data is not transferred abroad without the explicit consent of the Relevant Person. However, in cases where one of the exceptional cases of this Policy exists, third parties abroad can only:
· Being in countries where there is sufficient protection declared by the KVK Board
· In case of being located in countries where there is no adequate protection, the data controllers in Turkey and in the foreign country in question must undertake an adequate protection in writing and the KVK Board has permission
In such cases, personal data may be transferred abroad without express consent.
8.2.1. Transfer of personal data abroad for the purposes of providing our services and marketing activities
We work with service providers located abroad for purposes such as developing the website and digital platforms, conducting surveys, increasing the variety of products and services according to the preferences of visitors and members, and measuring user experience. It is recommended to examine the relevant policies of the service providers it cooperates with regarding the processing and protection of personal data.
8.3. Institutions and organizations to which personal data is transferred
Personal data;
To our suppliers
· To our business partners and business contacts
· Technical services
· To shipping companies
· To cargo companies
· Legally authorized public institutions and organizations
· Legally authorized private law persons
· It can be transferred to our Partners in accordance with the principles and rules described above.
· Independent audit firms
8.4. Measures we take regarding the legal transfer of personal data
8.4.1. technical measures
To protect personal data, but not limited to those listed;
· To make in-house technical organization for the processing and storage of personal data in accordance with the legislation
· Builds the technical infrastructure to ensure the security of databases where your personal data will be stored.
· Follows and audits the processes of the technical infrastructure created
· Determines the procedures for reporting the technical measures and audit processes we take
Periodically updates and renews technical measures.
· Risky situations are re-examined and necessary technological solutions are produced
· Uses virus protection systems, firewalls and similar software or hardware security products and establishes security systems in line with technological developments
· We employ employees who are experts in technical matters.
8.4.2. Administrative measures
To protect your personal data, but not limited to those listed;
· Develops personal data access policies and procedures, including company and subsidiary employees within our company
· Informs and trains our employees on the legal protection and processing of personal data
· In the contracts we make with our employees and/or the Policies we create, the company records the measures to be taken in case of unlawful processing of personal data by our employees.
· We control the personal data processing activities of the data processors we work with or the partners of the data processors.
9. STORAGE OF PERSONAL DATA
9.1. Keeping personal data for as long as required by the relevant legislation or for the purpose for which they are processed.
We keep personal data for as long as required by the purpose of processing personal data, without prejudice to the storage periods stipulated in the legislation.
In cases where we process personal data for more than one purpose, the data is deleted, destroyed or anonymized and stored if the purposes of processing the data disappear or there is no legal obstacle to the deletion of the data upon the request of the Relevant Person. In matters of destruction, deletion or anonymization, the provisions of the legislation and the decisions of the KVK Board are complied with.
9.2. Measures we take regarding the storage of personal data
9.2.1. technical measures
· Establishes technical infrastructures and related control mechanisms for the deletion, destruction and anonymization of personal data
· Takes necessary measures for the safe storage of personal data
· Employs employees with technical expertise
· Creates business continuity and emergency plans against possible risks and develops systems for their implementation
· We establish security systems in accordance with technological developments regarding the storage of personal data.
9.2.2. Administrative measures
· Raise awareness by informing our employees about the technical and administrative risks related to the storage of personal data
· Contracts made with companies to which personal data is transferred, in case of cooperation with third parties for the storage of personal data; We include provisions regarding taking the necessary security measures for the protection and safe storage of the transferred personal data of the persons to whom personal data is transferred.
10. SECURITY OF PERSONAL DATA
10.1. Our obligations regarding the security of personal data
Personal data;
· To prevent unlawful processing,
· To prevent illegal access,
· Ensuring that it is kept in accordance with the law,
We take administrative and technical measures according to technological possibilities and implementation costs.
10.2. Measures we take to prevent unlawful processing of personal data
· Conducts and makes necessary inspections within our company,
· Educating and informing our employees about the legal processing of personal data,
· The activities carried out by our company are evaluated in detail for all business units, and as a result of the said evaluation, personal data is processed specifically for the commercial activities carried out by the relevant units,
· In contracts made with companies that process personal data, in cases where third parties cooperate for the processing of personal data; It includes provisions regarding the taking of necessary security measures by the persons who process personal data,
· In case of unlawful disclosure of personal data or data leakage, we notify the KVK Board of the situation and carry out the investigations stipulated by the legislation and take the measures.
10.2.1. Technical and administrative measures taken to prevent unlawful access to personal data
To prevent unlawful access to personal data;
· Employs employees with technical expertise,
· Periodically updates and renews technical measures,
· Establishes access authorization procedures within our company,
· Determines the procedures for reporting the technical measures and audit processes we take,
· Builds the data recording systems used within our company in accordance with the legislation and conducts periodic audits,
· Develops systems for the implementation of emergency aid plans against possible risks,
· Trains and informs our employees about accessing and authorizing personal data,
· In contracts with companies that provide access to personal data, in cases where third parties cooperate for activities such as processing and storing personal data; It includes provisions regarding taking the necessary security measures of persons accessing personal data,
· We establish security systems within the scope of technological developments in order to prevent unlawful access to personal data.
10.2.2. Measures we take in case of unlawful disclosure of personal data
We take administrative and technical measures to prevent the unlawful disclosure of personal data and update them in accordance with our relevant procedures. If we detect that personal data has been disclosed without authorization, we establish systems and infrastructures to notify the Related Person and the KVK Board.
In case of an unlawful disclosure despite all the administrative and technical measures taken, this may be announced on the website of the KVK Board or by any other method, if deemed necessary by the KVK Board.
11. RIGHTS OF PERSONAL DATA OWNER
Within the scope of our disclosure obligation, we inform the Personal Data Owner and establish systems and infrastructures for this information. We make the necessary technical and administrative arrangements for the Personal Data Owner to exercise their rights regarding their personal data.
On the Personal Data Owner's personal data;
· Learning whether personal data is processed or not
· If personal data has been processed, requesting information about it
· Learning the purpose of processing personal data and whether they are used in accordance with the purpose
· Knowing the third parties to whom personal data is transferred at home or abroad
· Requesting correction of personal data if it is incomplete or incorrectly processed
· Requesting the deletion or destruction of personal data in case the reasons requiring the processing of personal data disappear
· Requesting notification of the above-mentioned correction, deletion or destruction processes to third parties to whom personal data has been transferred
· Objection to the emergence of an unfavorable result by analyzing the processed data exclusively through automated systems
· Requesting the compensation of the damage in case of loss due to unlawful processing of personal data
has rights.
11.1. Exercise of rights regarding personal data
Personal Data Owner requests his/her personal data
Ceyhun Atuf Kansu Cd 100/6 Ata Plaza B Blok Balgat / Ankara in writing and with wet signature
To the account of ekolhazırgiyim@hs03.kep.tr
If your e-mail address is registered in your system, it can be forwarded to the electronic mail account of kisiselverim@ekolgiyim.com.tr.
in the application
a) Name, surname and signature if the application is written,
b) For citizens of the Republic of Turkey, T.R. identification number, nationality for foreigners, passport number or identification number, if any,
c) Domicile or workplace address for notification,
ç) If available, the e-mail address, telephone and fax number for notification,
d) The subject of the request,
must be present.
(3) Information and documents related to the subject are attached to the application.
(4) In written applications, the date of notification is the application date.
(5) In applications made by other methods; The date on which the application reaches us is the application date.
Such requests will be made individually and requests made by unauthorized third parties regarding personal data will not be taken into consideration.
11.2. Evaluation of the application
11.2.1. Application response time
Requests regarding personal data are concluded as soon as possible, and in any case within 30 (thirty) days at the latest, free of charge, or against the fee in the tariff if the conditions in the tariff to be published by the KVK Board are met.
Additional information and documents may be requested during the application or while the application is being evaluated.
in the application
a) Name, surname and signature if the application is written,
b) For citizens of the Republic of Turkey, T.R. identification number, nationality for foreigners, passport number or identification number, if any,
c) Domicile or workplace address for notification,
d) If available, the e-mail address, telephone and fax number for notification,
e) The subject of the request, must be present.
(3) Information and documents related to the subject are attached to the application.
(4) In written applications, the date of notification is the application date.
(5) In applications made by other methods; The date on which the application reaches us is the application date.
Such requests will be made individually and requests made by unauthorized third parties regarding personal data will not be taken into consideration.
11.2.2. Our right to refuse the application
Applications regarding personal data;
· Processing of personal data for purposes such as research, marketing, planning and statistics by anonymizing with official statistics
· Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate privacy or personal rights or constitute a crime
· Processing of personal data made public by the Personal Data Owner
· The application is not based on a just cause,
· The application contains a request contrary to the relevant legislation,
· Failure to comply with the application procedure
rejected with justification.
11.3. Evaluation procedure of the application
In order for the response period specified in this Policy to begin, you must send the requests made using the methods in article 11.1 and with information and documents proving the identity of the applicant.
If the request is accepted, the relevant action is applied and a notification is made in writing or electronically. In case of rejection of the request, the applicant is notified in writing or electronically by explaining the reason.
11.4. Right to complain to the Personal Data Protection Board
In cases where the application is rejected, the answer we give is insufficient or the answer is not given on time; The applicant has the right to complain to the KVK Board within 30 (thirty) days from the date of learning the answer and in any case within 60 (sixty) days from the date of application.
12. PUBLICATION AND STORAGE OF THE DOCUMENT
This Policy is stored in two different media, printed paper and electronic media.
13. UPDATE PERIOD
This Policy is reviewed at least once every two years and updated in accordance with the principles as needed.
14. ENFORCEMENT
This Policy is deemed to have entered into force after its publication on the Company's website.
15. REVOCATION
In the event that it is decided to be revoked, the wet signed old copies of this Policy are canceled and signed by the Legal Unit with the written approval of the Department Manager (with an annulment stamp or an annulment) and kept by the Legal Unit for a period of 5 years.
© 2020 EKOL HAZIR GİYİM İNŞ. TAAH. TİC. LTD. ŞTİ. All Rights Reserved.