DATA PROTECTION GUIDANCE AND COMMITMENTS OF THE COMPANY
Article 1. Scope of the Guidance
Through this document, the Company explains which personal data of the Relevant Persons will be processed for which purposes, how such personal data will be used, processed, stored, protected and altered, how such personal data will be shared with which third parties for which purposes and other related issues and informs the Relevant Persons who owns such personal data about these issues in accordance with the provisions of Personal Data Protection Law numbered 6698 (“PDPL”).
Article 2. Definitions
2.1. Company : Almodo Altunlar Tekstil Sanayi ve Ticaret Anonim Şirketi (Istanbul Trade Registry Number: 329176/0)
2.2. Relevant Persons : Customers, service providers and other third persons
2.3. Personal Data : Any personal information relating to the Relevant Person.
2.4. Processing of Personal Data : All operations that are carried out on personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transfer, taking over, making retrievable, classification, processing or preventing the use thereof, fully or partially through automatic means or through non-automatic means provided that such processing will be a part of any data registry system.
2.5. Board : Personal Data Protection Board.
2.6. Making Anonymous : Altering personal data in a way that it is impossible to associate such personal data with any identified or identifiable natural person, including matching them with other personal data.
Article 3. Legal Basis of the Processing Personal Data of Relevant Person
3.1. Subject to the terms and conditions of this guidance, Relevant Person hereby agrees to the processing of his/her personal data by the Company in accordance with PDPL.
3.2. The Company declares, agrees and undertakes that while processing personal data of the Relevant Person in line with this guidance, it shall act in compliance with PDPL and other legal regulations enacted or to be enacted on the basis of PDPL and fulfill all legal obligations.
Article 4. Purpose of Processing the Personal Data of the Relevant Person
4.1. Legal Purposes
In order to enhance the quality of its services, the Company demands personal data appropriate for such purpose (identity details, contact data etc.) from the Relevant Person. Such personal data will be processed by the Company based on the explicit consent of the Relevant Person or in case of exceptions that such consent is not required under the legislation applicable for the Company and pursuant to PDPL after all necessary information security measures are also taken, provided that personal data is not used for any purpose or scope other than those specifically defined in the personal data policy adopted by the Company
The Company may obtain the information, documents and records containing personal information directly from the Relevant Person and/or indirectly from the third persons and entities and then process and store that information in order to provide products and/or services to the Relevant Person or develop its services provided or meet legal or operational requirements of its commercial relations within the scope of cooperation established with the Relevant Person. In that regard, personal data of the Relevant Person and any documents containing such information will be processed by the Company and will be shared with various administrative or judicial authorities and with the service providers and business partners that the Company works together when necessary.
4.2. Managerial Purposes
Personal data of the Relevant Person may be processed by the Company in order to fulfill legal and administrative requirements and will be disclosed to the official and judicial authorities when necessary.
4.3. Statistical Purposes
The Company may process the personal data of the Relevant Person in order to obtain statistical information so that it can more efficiently manage its business in terms of economic and administrative and perform accurate technical analyses /reporting.
The Company will keep the personal data of the Relevant Person during the period required by law in order to comply with the legal requirements and carry out necessary legal procedures or for the period required with the specific purpose of processing or for the relevant statutory periods that may be needed in the protection or exercising of its rights arising from potential legal proceedings that might develop in the future. At the end of this period, personal data of the Relevant Person will be deleted, disposed or anonymized by the Company.
Personal data processed within the scope of the purposes stated in the Company’s personal data protection policy will be deleted, disposed or anonymized by the Company when the specific purpose of processing required under PDPL ceases to exist or when the periods that stated in Turkish Commercial Code No. 6102, the Regulation on Deletion, Disposal or Anonymization of Personal Data published in the Official Gazette of Turkey dated October 28, 2017 and No. 30224 and Turkish Criminal Code No. 5237 are expired.
Article 5. Specific Method Used in the Processing Personal Data of the Relevant Person
5.1. The Company agrees and declares that it possesses those tools and devices having most advanced technology to ensure the security of the information of the Relevant Person. The Company may store the personal information of the Relevant Person both in physical and electronic environments. In both cases, the Company undertakes to take all necessary technical and administrative measures to ensure the proper security for the protection of personal data of the Relevant Person and may also outsource relevant protection services if necessary. The Company shall also carry out/procure audits on the security system used to protect the personal data.
Personal data will be stored in the Company’s database with maximum security measures and based on limited access. Inspections required to validate proper operation of the security system used to protect personal data will be carried out/procured on periodic basis.
5.2. The Company undertakes not to disclose the personal data of Relevant Person to third parties in defiance of the law and not to use it for any purpose other than the purpose of processing.
5.3. If the Relevant Person’s personal data is obtained by others by unlawful means, the Company shall notify the Relevant Person and the Board as soon as possible.
5.4. Physical and Electronic Environment
All kinds of documents containing the personal data of the Relevant Person shall be kept in a secure environment by the Human Resources Department in such a way to prevent unauthorized access of any third parties.
The Company gives utmost importance to the protection of personal data. Therefore, the Company takes all necessary security measures against prevent unauthorized access to personal data or loss, misuse, disclosure, alteration or destruction of such information. Every year, the Company will ensure the performance of an audit in connection with information systems security containing several measures such as firewalls, access on limited authorization and physical security and create awareness among its personnel about the information systems security.
The Company will take any and all necessary technical and administrative measures required to ensure confidentiality and updated status of personal data. In the event of any harm given to or any unauthorized disclosure to third persons of personal data as a result of the attacks made to the web site or to the system in spite of the information security measures taken by the Company, the Company will immediately inform the Relevant Persons and Personal Data Protection Board about this breach.
6. Entities which Personal Data of the Relevant Person will be Transferred and Purpose of Transfer
6.1. The Company may transfer the personal data of the Relevant Person within the scope of activities carried out by those public institutions and organizations delegated and authorized by law in order to fulfill its legal obligations or meet operational requirements arising from the areas of activity pursued by the Company or fulfill the requirements of judicial or administrative proceedings notified to the Company or protect its legal rights.
Subject to the statutory limitations, personal data may be transferred to the administrative and official authorities to whom that personal data should be transferred legally and to the legal entities such as shareholders of the Company operating within and outside of the country and independent audit firms having relations with the Company.
6.2. In order to create a productive and profitable economic enterprise, the Company may share the personal data of the Relevant Person with its business partners or its group companies including but not limited to consulting firms from which the Company obtains services or with which the Company enters into cooperation in connection with taxation, accounting and finance as well as law firms, IT firms, independent audit firms from which security and inspection services are obtained and marketing firms, transport companies and other financial institutions.
6.3. The Company shall take all necessary security measures to ensure the confidentiality of the personal data in relation to the persons and companies stated in 6.2 which it cooperates with. For that purpose, confidentiality agreements and undertakings shall be signed between the Company and the third persons to whom personal data of the Relevant Person was transferred in order to regarding the protection and confidentiality of the personal information.
7. The Relevant Person’s Rights on his/her Personal Data
7.1. The Relevant Person has rights of requesting information on whether his/her personal data is processed; if his/her personal data is processed, requesting information on the purpose of the processing activity and whether the personal data is processed in accordance with the specified purpose; being informed on the third parties who received such personal data, within the country or abroad; requesting corrections if the personal data has been processed in an incomplete or incorrect manner; requesting deletion and disposal of such data if the purpose of processing disappears; requesting notifying third parties whom the his/her personal data has been transferred to on the action of correction, deletion and disposal of the personal data; objecting to adverse outcomes to be occurred when personal data processing undergoes automatically; claiming compensation in case the Relevant Person suffers damages due to unlawful personal data processing.
8. Application, Complaint and Update
8.1. Relevant Person may send his/her requests about his/her personal data to the Company in writing at the address Çerkezköy O.S.B.. Karaağaç Mahallesi, 6.Sokak, No: 5 Kapaklı /Tekirdağ or by using the registered electronic mail address (REM) email@example.com or the e-mail firstname.lastname@example.org, secure electronic signature, mobile signature or electronic mail address that relevant person notified before to the Company and recorded in the system of Company or via a developed software or application for the specific purpose of application by attaching necessary documents and information to this application, including application form for the processing of personal data which could be obtained from the Company.
The following shall exist in the application;
• Name, Surname and, if application is in writing, signature,
• Turkish ID Number for the citizens of the Republic of Turkey, nationality, passport number or, if any, ID number for foreign natural persons,
• Notification address of place of settlement or workplace,
• If provided, notification e-mail address, telephone and fax number,
• Subject of request
8.2 The Company will finalize the request made by the Relevant Person at latest within 30 days. In case that the Company notifies Relevant Person in writing, no fee of up to 10 pages shall be charged.
The Company may charge the relevant person a fee of TL 1 for each page exceeding 10 pages. In case that our Company notifies Relevant Person by a CD or flash memory, the fee to be charged to him/her will not exceed the cost of that CD or flash memory.
If the Company refuses to fulfill the request stated in the application filed by the Relevant Person, it will provide its response in writing or via an e-mail.
Relevant Person is also entitled to file a complaint to the Personal Data Protection Board within 30 days as of the date he/she has been informed on the response of the Company or within 60 days as of the application date in any case when his/her application is rejected; the response given is found unsatisfactory or the response is not given within 30 days.
If the Company accepts the request of the application, it shall fulfill the requirements and the application fee received from Relevant Person should be refunded.