PERSONAL DATA POLICY / KVKK

1. PURPOSE AND SCOPE

The main objective of this Personal Data Protection Policy (the "Policy") is to provide explanations regarding the personal data processing activities carried out by our Company pursuant to the law and the systems adopted for the protection of personal data and, in this context, to provide transparency by informing the people whose personal data is being processed by our Company. This Policy applies to all activities managed by the Company regarding the processing and protection of personal data by the Company along with the relevant detailed data procedures. 

 

2. DEFINITIONS

• KVKK: Personal Data Protection Law numbered 6698
• GDPR: EU General Data Protection Regulation
• Data Processor: The natural person or legal entity that process data on behalf of the data controller with the authority given by the data controller
• Data Controller: The one who defines the purpose and the means of processing personal data and responsible of the data recording system management
• Data Subject: A natural person, includes but not limited to an employee, customer, business partners, stakeholders, authorities, leads, candidate for recruitment, intern, visitors, suppliers, employee of business partners, third parties of the Company and its affiliates with whom they have a commercial relationship, whose data is processed.
• Explicit Consent: Consent that is related to a specific issue based on information and expressed with free will.
• Personal Data: Any information related to a natural person whose identity is known or could be identified
• Sensitive Personal Data: Biometric and genetic information related with race, ethnicity, political or philosophical opinions, religion, sect or other believes, appearance, union memberships, health, sex life, convictions, and security measures etc.
• Processing of Personal Data: Any kind of operation performed on data such as obtaining, recording, storing, preservation, modification,
• reorganization, disclosure, transfer, takeover, making available, classification or preventing the use of personal data in fully or partially automated or non-automated ways, provided that it is part of any data recording system
• Anonymization of Personal Data: To render data in such a way that it can no longer be associated with an identified or identifiable person even when the personal data is matched with other data.
• Deleting Personal Data: To delete or to render personal data in such a way that it is no longer accessible or reusable for the users
• Destroying Personal Data: Rendering the personal data to make it inaccessible, unrecoverable and not useable by anyone
• Company: İmge Yüksel
• KVK Board / Board: Turkish Personal Data Protection Board
• KVK Authority / Authority: Turkish Personal Data Protection Authority 

 

3. POLICY

This Policy is prepared in accordance with the rules and procedures foreseen in KVKK and related law for the protection of personal data. In his context, as Data Controller is also liable to prevent illegal processing of personal data and access and protect the personal data from being accessed illegally in accordance with KVKK, he/she must take all necessary technical and administrative measures.

 

4. PRINCIPLES TO BE FOLLOWED WHILE PROCESSING DATA

Our Company acts in accordance with the following general principles in all its Personal Data Processing activities:

• Personal data must be processed lawfully, fairly, and transparently
• Personal data can only be collected for specific, explicit, and legitimate purposes
• Personal data must be adequate, relevant, and limited to what is necessary for processing
• Personal data must be accurate and kept up to date with every effort to erase or rectify without delay
• Personal data must be kept in a form such that the data subject can be identified only if is necessary for processing
• Personal data must be processed in a manner that ensures the appropriate security

 

5. PERSONAL DATA COLLECTED

Your personal data collected by our company varies according to the quality of the relationship with our company and the legal obligations. Your personal data collected can be listed as follows:

• Identity Information (liable to amendments as per to requirements, ID number, name, surname, passport number, if the ID card shared, the information on the card, photo, etc.)
• Contact Information (E-mail address, phone number, mobile phone number, address etc.)
• Customer Transaction Information (payment receipts, orders, and relevant information taken under record in regards to purchases)
• Process Security Information (website password and password information, etc.)
• Risk Management Information (associated with Data Subject, address register system records, IP address tracking records etc.)

The Personal Data types listed do not include all your processed data and personal data similar to the data listed by our company may be processed.

 

6. THE PURPOSES OF PROCESSING PERSONAL DATA

The purpose of processing personal data information varies according to the relationship between the company and personal data subject and legal nature of the business. The purposes of processing personal data by the Company are as follows:

• Within the scope of the company based commercial activities, planning and business development tasks, etc.
• Realization of legally required transactions, performance of obligations
• Declarations made to official institutions
• Activities related to the establishment and execution of contracts
• Managing, conducting, planning, and improving client relations
• Activities for the realization of post-contract services
• Monitoring, planning and execution of consultancy activities
• Monitoring, planning and execution of financial and accounting activities
• Planning and execution of information technologies and data security activities
• Planning and execution of physical and electronic / network security activities
• Increasing brand awareness;
• Planning and execution of actions aimed at increasing the level of perception about corporate activities and brand
• Planning, management and execution of organizations, meetings, invitations, and events
• Managing the client satisfaction processes during and / or following the completion of service offering processes
• Activities for receiving, evaluating, and finalizing demands and complaints,
• Realization and follow-up of transactions and activities to fulfill the obligations arising from the contractual relationship
• Within the scope of planning, execution and management of corporate relations;
• Managing, conducting, planning, and developing relations with suppliers / business partners
• Building and conducting corporate managerial communication activities
• Building and conducting external trainings
• Within the scope of legal, technical and commercial security measures among parties in relation with the Company data is processed under;
• Notifying the relevant authorities / institution and / or conducting responsibilities within the audit processes
• Assuring security measures on physical and electronic environments for the parties the Company is involved with
• Keeping records as per to commercial security measures and organizing, conducting, and auditing these measures for the parties the Company is involved with
• Assuring the applicable activities are being conducted in regard with data accuracy and making sure the data is up to date
• Planning and / or conducting the Health & Safety processes 

 

7. METHODS OF PROCESSING PERSONAL DATA AND ITS LEGAL GROUND

Personal data can be obtained / received by parties who are data subject and / or third parties who have explicit consent from the data subject. The obtained personal data can be processed  by collecting, saving, editing, configuring, storing, adapting, changing, using, transferring, deleting, destroying, and anonymizing. Personal Data may be processed by one or more of the above methods without the explicit consent of the data subject in the presence of one the legitimate reasons listed in Article 5 of KVKK:

• Explicitly prescribed in laws and any relevant legislation.
• Being legally mandatory for the person cannot grant consent due to physical incapability or legally forbidden to grant consent in regards with other's living rights
• Requirement on processing personal data of the parties subject to a contract / agreement, due to the execution of a contract / agreement.
• Legally being mandatory for the data controller to fulfil the legal liability.
• Publicized by the data subject directly.
• Legally being mandatory to be processed for a granted right to be conducted, used and / or protected
• Processing personal data for legitimate purposes without contracting the basic rights and freedom of the data subject.

 

8. RETENTION AND DESTRUCTION OF PERSONAL DATA

Our company takes into account the law and legislation that is in place during processing the personal data. Within this scope, the retention and period of limitations are taken into account on Personal Data Protection activities. In case the processing activity is disposed, and there is no further legal ground to store personal data, relevant data is to be deleted, destroyed and / or anonymized. The personal data shall be subject to retention, disposal, or anonymization upon the demand of the data subject and / or the Company's periodic control in which the Company realizes the reason to process the data is no longer available, due to the Article 7 of KVKK and other related legislation.

 

9. TRANSFER OF PERSONAL DATA

• Local Transfers

Personal data is not transferred to any third party without an explicit consent, unless it is legally required due to KVKK, relevant legislation and cases where it is mandatory to be shared with the external parties due to administrative / juridical cases. However, as per to the Article 5 and Article 6 of KVKK, in case legal grounds are present and it is legally required, on third party transferred, consent / explicit consent will not be observed.

Our Company fulfills its obligation to inform the Data Subject regarding this transfer. Accordingly, the institutions, organizations and / or persons that can be transferred are listed below.

• Transfers to Abroad

The Company may transfer the personal data abroad by obtaining explicit consent of the data subject along with taking appropriate and necessary security measures foreseen in KVKK and related legislation. For the situations in which the explicit consent of the data subject is not sought, it is considered whether the country that the data will be transferred, is in "adequate country" stature and has enough protection or not. If the Board considers that the transferee country is not in adequate country statute, the Board approval should be taken, and a data transfer protocol should be signed to guarantee enough protection.

• Data Transfer to Third Parties

Within the scope of the Labor Law, Obligations Law, Income Tax Law and Procedures, Commercial Law, Private Employment Agencies, and relevant legislations:

Related public institutions and organizations,
Competent authority,
Tax offices workplace inspector, İŞKUR, regional labor and SGK can be share with administrative institutions and organizations.
Apart from these, our Company shall not disclose your personal data in accordance with Articles 8 and 9 of KVKK and take all security measures specified in the relevant legislation;
To business partners, suppliers, business partners that we cooperate with at local and / or abroad,

Data can be transferred to externally supported law offices, courts, and other official and judicial authorities upon request.

 

10. MEASURES REGARDING THE PROVISION OF DATA SECURITY

Technical and administrative measures are taken to prevent data breaches to ensure the security of personal data.

 

11. KEEPING PERSONAL DATA UP-TO-DATE

In accordance with Article 4 of  KVKK our Company has an obligation to keep your personal data accurate and up-to-date. In this context, in order for our Company to fulfill its obligations arising from the applicable legislation,  Customers are mandated to share accurate and up-to-date data or update it via our website / mobile application.

 

12. RIGHTS OF THE DATA SUBJECT

Within the scope of Article 11 of KVKK the data subject has the following rights and if he / she wishes, he / she can use his / her rights by reaching the data controller in the methods determined by him/her:

• To learn whether personal data is being processed
• To make requests regarding the nature of information held and to whom it has been disclosed
• To learn the processing purpose of personal data and whether it is used in accordance with this purpose
• To be informed about the third parties that the personal data is transferred in local or abroad and to make notification as regards the transactions made
• To demand correction for the personal data that is processed as deficient or incorrect and to notify third parties about this
• To demand deletion or annihilation of the personal data of which reason to process is no more available, even if the data is processed in accordance with the related law
• To object any result against the data subject
• To demand compensation in case of any damage caused by illegal processing of the personal data

 

13. EXERCISES OF RIGHTS OF DATA SUBJECT

In accordance with KVKK regulations, in cases you have inquiries on your rights, contact us by sending an email to permitted.love@gmail.com.

All queries will be answered within 30 days of receipt. If the transaction requires an additional cost, the tariff set by Turkish Personal Data Protection Board will be charged.