POLICIES REGULATION ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
1- PURPOSE AND SCOPE
As Data Controller Zabit İç ve Dış Ticaret Limited Şirketi, we hereby comply with the issues of ensuring the effective use of the rights of the data subjects processed in accordance with the relevant legislation, including the Constitution of the Republic of Turkey and the International Agreements and the Law on the Protection of Personal Data No. 6698, and the processing, storage and transfer of all personal data we obtain. We act in accordance with the principles of our Policy Regulation.
As Zabit İç ve Dış Ticaret Limited Şirketi, we are referred to as the data controller within the scope of the Law on Protection of Personal Data No. 6698. Our active customers who benefit from our company’s products and services, our potential prospective customers with whom we make job offers, our employees, our employees’ family members, interns, candidates applying for a job in our company, our shareholders, our authorities, our suppliers, our consultants, our authorized dealers, our subcontractors, our collaborating companies and their employees, shareholders , its officials, our visitors, our users who visit our website, the data of the people who are in contact with our company during our activities are processed automatically within the framework of our Personal Data Protection Policy regulation as the data controller or non-automatically provided that they are part of any data recording system.
2- DEFINITIONS
a) Data Controller: Zabit İç ve Dış Ticaret Limited Şirketi
b) Explicit Consent: The consent on a certain subject, based on information and freely, openly and clearly expressed,
c) Anonymization: It is the rendering of personal data that cannot be associated with an identified or identifiable natural person in any way, even by matching with other data.
d) Employee: All employees of our company,
e) Relevant Person: Natural persons whose personal data are processed,
f) Personal Data: Any information relating to an identified or identifiable natural person,
g) Sensitive Personal Data: People’s race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, health information, fingerprints, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security biometric and genetic data,
h) Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available personal data fully or partially automatically or non-automatically provided that it is a part of any data recording system All kinds of operations performed on data such as classification or prevention of use,
i) Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
j) Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
k) Department Managers: Means the managers of the relevant department in our company, who are responsible for the process necessitating a personal data processing activity.
l) Personal Data Protection Committee: Committee members who will provide the necessary coordination within the Company within the scope of ensuring, maintaining and maintaining compliance with the personal data protection legislation,
m) Contact Person: It is the individual person responsible for following the personal data processing activities within our company and the implementation of the KVK Policies. The Contact Person is also a member of the KVK Committee and acts as the contact person of our Company within the scope of the KVK Legislation before the data controllers registry.
n) KVK Board: Personal Data Protection Board.
o) KVK Authority: Personal Data Protection Authority.
p) KVKK: The Law on Protection of Personal Data published in the Official Gazette dated 7 April 2016 and numbered 29677.
r) Policy: Zabit İç ve Dış Ticaret Limited Şirketi Personal Data Protection and Processing Policy Regulation,
3) DUTIES AND RESPONSIBILITIES
KVK (Personal Data Protection Committee) is responsible for overseeing compliance with the KVK Policy of all organs and departments of our Company. The contact person within the KVK Committee will perform the duties and responsibilities assigned to him in accordance with the KVK Policy. In this context, the duties and responsibilities of the KVK Committee and Contact Person within our Company as Data Controller are defined as follows.
A) Personal Data Protection Committee
Within the framework of KVKK and in the process of compliance with this law, a KVK Committee has been established within our Company. The job plan job descriptions of the committee are given below.
a) Ensuring compliance with this policy throughout our company and the effective implementation of the personal data protection and compliance program stipulated by the policy,
b) To make the necessary assignments and to coordinate within the activities for the implementation of the KVK Policy,
c) To determine the issues that need to be done in order to ensure compliance with the personal data protection legislation and to inform the management, to express an opinion spontaneously or upon request on the issues within this scope, or to take the necessary actions to obtain an expert opinion on the subject,
d) To raise awareness within the body of our Company and the institutions with which our company cooperates, on legislation and information security issues within the scope of the protection of personal data, and to provide the necessary trainings for our Company employees who process personal data,
e) To maintain and follow up the necessary communication with the Public Institutions and Private institutions for the protection of personal data, especially the Personal Data Protection and Board,
f) To manage the applications of personal data owners, to make a final decision on them and to ensure that the applications are responded to in a timely manner,
g) Ensuring that our company’s personal data processing inventory is kept up-to-date and necessary notifications are made to the data controllers registry,
h) Ensuring that the necessary records are kept to prove our Company’s compliance with the personal data protection legislation within the scope of the KVK Policy,
i) To examine significant cases in terms of data security, to identify and implement the necessary measures to minimize the risks that may arise on personal data owners and our Company,
j) To ensure that our company is timely informed of the changes in the legislation and implementation of the Personal Data Protection Board,
k) To ensure that the KVK Policies are reviewed periodically and that the proposed changes are submitted to the management for approval, together with their justifications,
B) Contact Person
Zabit İç ve Dış Ticaret Limited Şirketi Contact Person He is a member of the KVK committee. To monitor the effectiveness of the measures taken by our company to comply with the personal data protection legislation, to ensure that the KVK Committee fulfills its duties and responsibilities listed above, and to call the KVK Committee to a meeting when necessary,
The Contact Person also acts as the contact person within the scope of the KVK Legislation before the data controllers registry of our Company and the KVK Authority. In case the Contact Person is absent from our Company due to permission or other reasons, a different employee is temporarily assigned by the KVK Committee. In this case, the person appointed temporarily is responsible for the fulfillment of all duties assigned to the Contact Person within the scope of the Personal Data Protection Policy.
C) Department Managers
The managers of the relevant service are responsible for the execution of the relevant data processing activity at each department within our company. The Department Manager fulfills the requirements of the KVK Policy and the legal regulations within his own department, and in this context, works in cooperation with the Contact Person and the KVK Committee.
D) All Employees
All employees of our company are obliged to have a good grasp of the KVK Policies and to implement the rules in their content. In this context, all employees of our Company work in harmony with the KVK Committee and Contact Person, provide feedback to improve the KVK Policy and act in cooperation.
4) POLICY PRINCIPLES
Our company, Zabit İç ve Dış Ticaret Limited Şirketi, in accordance with Article 20 of the Constitution and Article 4 of the KVK Law, regarding the processing of personal data; performs personal data processing activities in accordance with the law and honesty rules, accurately and, when necessary, within the framework of up-to-date, specific, clear and legitimate purposes, in a limited and measured manner in connection with the purpose, and retains them for as long as required by the law or the personal data processing purpose.
Our company, our active and potential customers benefiting from its products and services, our employees, interns, employee candidates, shareholders, officials, suppliers, consultants, authorized dealers, companies we cooperate with and their employees, shareholders, officials, visitors, users visiting our website, during our activities Personal information of people who are in contact with our company; It processes data such as identity, contact information, information about all kinds of products within the scope of its field of activity, health data, request and complaint management.
In cases where explicit consent is required by law, our company’s data owners can benefit from our products and services, be informed about marketing, advertising, promotions and innovations, as well as to inform the data owners in order to fulfill the requirements of orders, offers and contracts, to fulfill the financial and legal obligations of the Company. It processes personal data based on the following criteria, provided that consent is obtained.
5) TERMS OF PROCESSING PERSONAL DATA
(a) Explicit Consent of the Personal Data Owner
One of the conditions for the processing of personal data is the explicit consent of the data owner. The explicit consent of the personal data owner should be disclosed on a specific subject, based on information and free will. In the presence of the following personal data processing conditions, personal data may be processed without the need for the explicit consent of the data owner.
(b) Explicitly Provided in Laws
If the personal data of the data owner is expressly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, the existence of this data processing condition may be mentioned.
(c) Failure to Obtain the Explicit Consent of the Related Person due to Actual Impossibility
The personal data of the data owner may be processed if it is necessary to process the personal data of a person who is unable to express his or her consent due to actual impossibility or whose consent cannot be validated, in order to protect the life or bodily integrity of himself or another person.
(d) Direct Concern with the Establishment or Performance of the Contract
Provided that it is directly related to the conclusion or performance of a contract to which the data owner is a party, personal data may be processed if it is necessary to process personal data.
(e) Fulfilling the Company’s Legal Obligation
Personal data of the data owner may be processed if the processing is necessary for our company to fulfill its legal obligations.
(f) Publicizing the Personal Data of the Personal Data Owner
If the data owner has made his personal data public, the relevant personal data may be processed for the purpose of making it public.
(g) Data Processing Necessary for the Establishment or Protection of a Right
If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.
(h) Mandatory Data Processing for the Legitimate Interest of Our Company
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company.
PROCESSING OF SPECIAL QUALITY PERSONAL DATA
Special quality personal data is processed by our Company in accordance with the legal regulations and the principles set forth in this Policy, by taking all necessary administrative and technical measures and in the presence of the following conditions.
(a) Special categories of personal data other than health and sexual life may be processed without seeking the explicit consent of the data owner, provided that it is expressly stipulated in the law. Otherwise, the explicit consent of the data owner will be obtained.
(b) Special quality personal data regarding health and sexual life are disclosed by persons or authorized institutions and organizations under the obligation to keep confidential for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, and managing health services and these services. may be processed without consent. Otherwise, the explicit consent of the data owner will be obtained.
PURPOSE OF PROCESSING PERSONAL DATA
Our company, Zabit İç ve Dış Ticaret Limited Şirketi, processes personal data with the following purposes and conditions, limited to the purposes and conditions specified in the personal data processing conditions specified in the 2nd paragraph of the 5th article of the KVK Law and the 3rd paragraph of the 6th article. These purposes and conditions are:
Production, Manufacturing, Application, Research and Development Marketing activities
Sales of finished products, semi-finished raw materials and application labor activities, Performance of after-sales services,
Fulfilling the requirements of the contracts,
Performing invoice issuance and collection processes,
To customers; product-service promotion, information, advertisement, campaign and other benefits, sending commercial electronic messages, survey applications, statistical analysis,
Carrying out studies to improve service quality and providing better service,
Outsourcing of services,
Receiving services on subjects that do not fall within their area of expertise,
Identity confirmation, Evaluation and response of requests and complaints,
Providing financial reconciliations with relevant business partners and other third parties,
Providing necessary information in line with the requests and inspections of official authorities,
Measuring customer satisfaction,
In terms of employees; Creation of the personal file, determination of whether it is capable of constantly fulfilling the requirements of the job, making private health insurance, creating a health file, taking occupational safety measures,
Publishing the visual and audio data obtained in the organization, work and other activities within the scope of its field of activity for the purpose of creating corporate memory and developing the business,
Using the data received through the website or social media channels for marketing purposes through third party agencies,
Fulfillment of legal obligations,
Execution and follow-up of reporting and risk management processes,
Execution and follow-up of legal affairs,
Creating and tracking visitor records.
DISCLOSURE OF PERSONAL DATA OWNER
Our company, in accordance with Article 10 of the KVK Law and secondary legislation, is responsible for the personal data of the personal data owners by whom and for what purposes they are processed, for which purposes they are shared, with which methods they are collected, and the legal reason and the personal data of the data owners within the scope of processing. informs about their rights.
TRANSFERRING PERSONAL DATA
Our company can transfer the personal data and special quality personal data of the personal data owner to third parties (third party companies, group companies, third real persons) in line with the personal data processing purposes in accordance with the law, by taking the necessary security measures. Personal data, even without the explicit consent of the data owner, may be transferred to third parties by our Company, provided that legal, technical and administrative measures are taken in accordance with the current legislation and regulations, in case one or more of the following conditions are present.
The relevant activities regarding the transfer of personal data are clearly stipulated in the laws,
The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,
The transfer of personal data is mandatory for our Company to fulfill its legal obligation,
The personal data has been made public by the data owner,
The transfer of personal data by the Company is mandatory for the establishment, exercise or protection of the rights of the Company or the data owner or third parties,
It is compulsory for the person or someone else, who is unable to express his consent due to actual impossibility, or whose consent is not legally valid, to protect his or her life or physical integrity.
SPECIAL QUALITY PERSONAL DATA TRANSFER
Special quality personal data may be transferred by our Company in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:
(a) Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data owner, provided that it is expressly stipulated in the law. Otherwise, the explicit consent of the data owner will be obtained.
(b) Persons or authorized institutions and organizations that are under the obligation to keep confidential for the purpose of special quality personal data regarding health and sexual life, protection of public health, preventive medicine, medical diagnosis, treatment and care services, health services and the planning and management of these services. may be processed without explicit consent. Otherwise, the explicit consent of the data owner will be obtained.
PERSONAL DATA STORAGE PERIODS
Our company, Zabit İç ve Dış Ticaret Limited Şirketi, retains personal data by taking all necessary legal, technical and administrative measures, in accordance with the scope of KVKK, for the period specified in these regulations, in case it is stipulated in the relevant laws and regulations.
If a period of time is not regulated in the legislation regarding how long personal data should be kept, Personal data is kept for a period of time that requires it to be kept in accordance with the practices and practices of the industry, depending on the activity carried out by our Company while processing the data, and then deleted in accordance with the relevant policy created by our Company according to the nature of the data.
If the purpose of processing personal data has ended and the storage periods determined by the relevant legislation and our Company have expired, personal data can be stored only to provide evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. Here, too, personal data is deleted after the aforementioned period expires.
RIGHTS OF PERSONAL DATA OWNERS AND THE USE OF THESE RIGHTS
Personal data owners within the scope of KVKK,
(1) Learning whether personal data is processed or not,
(2) If personal data has been processed, requesting information about it,
(3) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
(4) To know the third parties to whom personal data is transferred in the country or abroad,
(5) Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
(6) Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist despite the fact that it has been processed in accordance with the provisions of the law and other relevant laws, and requesting that the transaction carried out within this scope be notified to the third parties to whom the personal data has been transferred,
(7) Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
(8) It has the right to demand the compensation of the damage in case of loss due to the unlawful processing of personal data.
Personal data owners may submit their requests regarding these rights to our Company through the methods determined by the Board. Our company will evaluate the application made by the data owner and finalize it as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
REVIEW AND AUDIT
The KVK Committee within the body of our company, Zabit İç ve Dış Ticaret Limited Şirketi, will monitor the legal, technological and organizational changes and developments that may occur within the scope of protecting personal data and ensure that actions are taken.
The KVK Committee controls the personal data processing activities and all kinds of issues related to these activities, and reports to the management the issues that are found to be inconsistent with the rules and legislation in the KVK Policies as a result of the review of the complaint requests and the improvement suggestions regarding them.
The KVK Committee conducts at least 2 (two) inspections per year to ensure our company’s compliance with the personal data protection legislation. The said review is carried out by the KVK Committee itself. In the said inspection activities, the following matters are examined as a minimum.
a) Effective and correct implementation of KVK Policies, duties and responsibilities assigned by the management, undertaken and fulfilled by the employees,
b) The level of education and awareness of the employees is sufficient,
c) Personal data processing inventory, disclosure statements and other documents are correct, complete and up-to-date,
d) The administrative and technical measures taken for personal data security are effective and sufficient,
e) Keeping the KVK Policies up to date in response to legal, technological and organizational developments.
The improvement points determined following the review are reported to the management by the KVK Committee and the necessary work is followed up by the Contact Person.
IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
In case of inconsistency between the legislation changes in force and the Policy on the processing and protection of personal data, our company’s Personal data processing and protection policy regulation is revised and updated within the framework of the current legislation.
Zabit Domestic and Foreign Trade Limited Company